Unit 42 is tracking a new extortion brand called Pink, also identified as CL-CRI-1147, that should get attention from any organization relying heavily on Microsoft 365. The activity is not notable because it uses exotic malware. It is notable because the attack path is ordinary, fast, and painfully realistic: call a user, impersonate internal IT, capture credentials and MFA context, then use legitimate cloud access to pull sensitive files.
For SMBs and government contractors, that is the key lesson. Microsoft 365 is often where proposals, customer records, contracts, CUI-adjacent documents, HR files, legal material, and executive communications live. If an attacker can turn one trusted account into OneDrive, SharePoint, and Teams access, the incident can become an extortion event before endpoint tools ever see a payload.
What Unit 42 Reported
According to Unit 42’s timely threat intelligence note, Pink appears to be a Com-affiliated extortion cluster with tradecraft similar to groups such as Bling Libra / ShinyHunters and other cloud-focused data theft crews. Unit 42 reported that Pink’s leak site went live on May 31, 2026 and listed multiple victims.
The reported initial access pattern is straightforward: the actor uses voice phishing while posing as internal IT staff. Victims are directed to phishing domains designed around passkey or deployment themes. After account access is obtained, the actor rapidly searches for and exfiltrates data from SharePoint and OneDrive. Unit 42 also noted that the actor used compromised victim accounts to send extortion emails and internal Microsoft Teams messages, including tight response deadlines.
Hackread’s follow-on coverage highlighted the same operational point: Pink is leaning on legitimate cloud identity and collaboration workflows, not noisy malware deployment. That makes the campaign a useful warning for defenders who still treat email security, endpoint monitoring, and Microsoft 365 logging as separate problems.
Why This Matters
Vishing-led cloud extortion is dangerous because it attacks the human helpdesk path and the cloud control plane at the same time. A user may believe they are cooperating with IT. The sign-in may look like a valid account event. The data movement may happen through sanctioned Microsoft APIs or automation clients. The extortion message may even come from an internal account, increasing urgency and confusion.
That is exactly the kind of scenario that can hurt smaller organizations with lean IT teams. If a business only reviews endpoint alerts, it may miss the actual theft. If it only blocks known phishing domains, it may miss abuse of a valid session. If it only trains users once a year, it may not prepare them for a live phone call from someone pretending to be support.
Defensive Takeaways
- Harden helpdesk verification. Require call-back procedures, ticket validation, and manager approval for password resets, MFA changes, passkey enrollment, and device registration.
- Move high-risk users to phishing-resistant MFA. FIDO2/security keys or properly governed passkeys reduce the value of credential collection and real-time MFA relay.
- Watch Microsoft 365 data movement. Alert on unusual SharePoint or OneDrive enumeration, mass downloads, new automation clients, abnormal Graph API usage, and access from unfamiliar infrastructure.
- Audit Teams and internal email after account compromise. Treat internal extortion messages or unusual Teams broadcasts as evidence of lateral trust abuse, not just communications noise.
- Restrict sensitive document repositories. Proposal folders, legal files, HR records, contract data, and customer deliverables should not be broadly accessible by default.
- Pre-stage incident response queries. Have Microsoft Entra ID, Defender for Cloud Apps, Purview audit, and M365 unified audit log searches ready before an incident starts.
Bulwark Black Assessment
Pink is another reminder that the identity perimeter is now part of incident response. The attacker does not need ransomware if they can steal cloud documents, prove possession, and pressure executives through internal channels. For government contractors, the practical priority is not just blocking malware; it is proving who accessed sensitive cloud data, what they touched, and whether the access path was authorized.
Organizations should use this reporting to review three things immediately: helpdesk identity proofing, Microsoft 365 exfiltration visibility, and access rights around sensitive document libraries. If those controls are weak, a vishing call can become a data breach.
Sources: Unit 42 timely threat intelligence on Pink / CL-CRI-1147; Hackread coverage.
