[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f5McNjsOmYvfduqvzCaOcpQTQAicmafCBa3DMQgxMzWE":3},{"article":4,"iocs":57},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":34,"category":35,"article_tags":39},"54c907f7-07a5-4f5a-8e37-6fdf0ea8ef5a","New Pink Extortion Group Targets Microsoft 365 Cloud Data Via Vishing Scams","new-pink-extortion-group-targets-microsoft-365-cloud-data-via-vishing-scams-0d3e80","Cybersecurity researchers are warning businesses about Pink Extortion Group, a threat actor that uses voice phishing to bypass multi-factor authentication and steal files from cloud environments.","A new threat actor, Pink Extortion Group, is targeting corporate Microsoft 365 environments by using voice phishing (vishing) to trick employees into revealing credentials. This allows them to bypass multi-factor authentication and exfiltrate sensitive files from cloud storage. The group then uses internal communication channels to demand payment within a tight deadline.","Pink Extortion Group targets Microsoft 365 data using vishing to bypass MFA.","Cyber Crime SecurityNew Pink Extortion Group Targets Microsoft 365 Cloud Data Via Vishing Scams Cybersecurity researchers are warning businesses about Pink Extortion Group, a threat actor that uses voice phishing to bypass multi-factor authentication and steal files from cloud environments. byDeeba AhmedJune 6, 20262 minute read A new cybercrime group called Pink is targeting corporate data for financial extortion. Palo Alto Networks’ research division, Unit 42, first exposed this threat, believed to be linked with the broader Com network. The researchers tracked the group under the cluster code CL-CRI-1147, and reported that Pink launched a dedicated data leak site on 31 May 2026, listing several initial victims. Building on Unit 42’s data, security analytics firm Gurucul released a follow-up analysis on 4 June 2026 to help companies spot the group’s footprint inside corporate networks. Initial Entry and Cloud Theft Unit 42’s research reveals that Pink avoids traditional malware payloads. Instead, the threat actors rely on voice phishing, or vishing, to target corporate users. By impersonating internal IT personnel over the phone, the hackers manipulate employees into visiting credential stealing domains like passkeyaddcom or passkeydeploy.com. When an employee falls for the scam and enters their details, the hackers steal their active log-in session. This lets them bypass multi-factor authentication defences. Now, they can access the company’s Microsoft 365 system, and using Microsoft’s own automated tools, they sweep through cloud storage, drain sensitive files from OneDrive and SharePoint folders in just minutes. With the data secured, the extortion begins. Pink actually uses the compromised employee accounts to email co-workers and send internal Microsoft Teams messages demanding payment, giving executives a tight 72-hour deadline to respond. Detecting the Hidden Footprint Following Unit 42’s disclosure, Gurucul analysed how Pink operates on local workstations after initial access. In an advisory published on 4 June 2026, Gurucul noted that Pink uses fileless methods to stay hidden. Instead of downloading a massive, obvious virus onto a hard drive, the hackers deploy tiny code commands that hide inside legitimate system paths. The software builds its main code directly within the computer’s temporary memory cache, making it completely invisible to standard antivirus folder scanners. Gurucul also found that the code checks the computer environment first; if it spots a sandbox or an analysis laboratory used by security teams, it hides its behaviour. How to Stop the Attack Because Pink uses legitimate cloud tools and authentic account access, standard firewalls struggle to spot them. Experts recommend training employees to verify unexpected IT phone calls independently. Those responsible for network security must also look for unusual automated scripts in their logs, block the group’s known web domains, and use behavioural monitoring to catch massive, sudden file downloads before the data leaves the company. Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts ExtortionFraudMicrosoft 365Palo Alto NetworksPinkVishingVoice Phishing Leave a Reply Cancel reply View Comments (0) Related Posts Hacking News Security Technology Hacker unlocks vehicle for family who’d lost keys months ago Our world is full of good and bad people and same applies for hackers. Where there are hackers… byWaqas Malware Security Email titled “My New Photo ;)” actually Contains Malware Email titled “My New Photo ;)” actually Contain Malware – A .Zip file has an attachment Supposedly containing the… byWaqas Cyber Crime Why torrenting on Elon Musk’s Starlink is not a good idea? Starlink sends piracy warnings to users urging them to avoid downloading any illegal content by using their service. byWaqas Hacking News Cyber Crime VisionDirect hacked: Hackers infect domains with malicious Google Analytics code Hackers using Google Adwords & Google Sites to spread malware VisionDirect, one of Europe’s largest online optical retailer… byWaqas","https:\u002F\u002Fhackread.com\u002Fpink-extortion-microsoft-365-cloud-data-vishing-scams\u002F","https:\u002F\u002Fhackread.com\u002Fwp-content\u002Fuploads\u002F2026\u002F06\u002Fpink-extortion-microsoft-365-cloud-data-vishing-scams.jpg","2026-06-06T18:47:34+00:00","2026-06-06T22:00:16.553108+00:00",8,[18,21,24,27,30,32],{"name":19,"type":20},"Pink Extortion Group","threat_actor",{"name":22,"type":23},"Microsoft 365","product",{"name":25,"type":26},"Palo Alto Networks","vendor",{"name":28,"type":29},"vishing","technology",{"name":31,"type":29},"multi-factor authentication",{"name":33,"type":23},"OneDrive","e7b231c8-5f79-4465-8d38-1ef13aea5a14",{"id":34,"icon":36,"name":37,"slug":38},null,"Threat Intelligence","threat-intelligence",[40,45,50,55],{"category":41},{"id":42,"icon":36,"name":43,"slug":44},"2c8f44d4-b56e-47cf-9677-04f22c9ee78d","Identity & Access","identity-access",{"category":46},{"id":47,"icon":36,"name":48,"slug":49},"89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5","Malware","malware",{"category":51},{"id":52,"icon":36,"name":53,"slug":54},"c70f3a41-2f0c-4608-870d-b8cbcd8be076","Cloud Security","cloud-security",{"category":56},{"id":34,"icon":36,"name":37,"slug":38},[58],{"type":59,"value":60,"context":61},"domain","passkeydeploy.com","Credential stealing domain used by Pink Extortion Group."]