Pink extortion group targets Microsoft 365 data
The Pink extortion group is a new cyber threat targeting Microsoft 365 data using vishing and rapid cloud data theft. In the first weeks of activity, Pink has already listed victims and demonstrated tactics that organisations must understand to protect sensitive cloud data.
Understanding the Pink extortion group’s tactics
Emergence and background
Cybersecurity researchers at Unit 42 have begun tracking a cluster of activity known as CL-CRI-1147, attributed to the Pink extortion group. The group operates a leak site and aims to build a reputation in the cybercrime ecosystem by targeting organisations and exposing stolen data. Although Pink is a new name, its methods resemble those of established cybercrime crews such as ShinyHunters and Blackfile, both known for targeting cloud environments and stealing corporate data for extortion.
Vishing: Manipulating employees for access
Unlike ransomware groups that use malware, Pink uses vishing (voice phishing) to trick employees. Attackers impersonate internal IT staff by phone, convincing victims to visit phishing websites and enter Microsoft 365 credentials.
- passkeyadd[.]com
- passkeydeploy[.]com
- deploypasskey[.]com
These domains mimic legitimate authentication workflows, making it harder for users to detect fraud. Once credentials are entered, Pink gains access to Microsoft 365 accounts, including multi-factor authentication sessions if available.
Rapid data theft via Microsoft Graph API
After compromising an account, Pink moves quickly to steal data. The group focuses on exfiltrating files from cloud collaboration platforms, especially SharePoint and OneDrive.
- Microsoft.Graph.Client/5.62.0
- python-requests/2.28.1
- python-requests/2.33.1
The use of Microsoft Graph API means Pink leverages legitimate cloud tools to automate the identification and collection of sensitive files. This speeds up data theft and reduces the time defenders have to respond.
Why Pink extortion group matters for organisations
Risks to Microsoft 365 tenants
The Pink extortion group’s focus on Microsoft 365 makes most modern organisations vulnerable. Microsoft 365 is widely used for email, document storage and collaboration, so a breach can lead to exposure of confidential files, intellectual property and personally identifiable information.
- Exposed sensitive business data within minutes
- Potential reputational damage from public leaks
- Financial risk from extortion demands
- Disruption to business operations
Pink’s tactics show that attackers can bypass technical controls by exploiting human trust, then use native cloud tools to quickly steal data. This combination of social engineering and cloud exploitation raises the stakes for organisations relying on Microsoft 365.
Challenges in detection and response
Because Pink uses legitimate Microsoft Graph API calls and often compromises accounts with multi-factor authentication, traditional security controls may not detect the threat immediately. The speed of data exfiltration means defenders must be able to spot unusual activity quickly, such as unexpected downloads or access from new devices and user agents.
Organisations should note the user agent strings reported by researchers, including Microsoft.Graph.Client and python-requests, as indicators of possible malicious automation in cloud environments.
Defensive steps for Microsoft 365 environments
Strengthen multi-factor authentication
- Enforce phishing-resistant MFA methods, such as FIDO2 security keys
- Regularly review MFA enrolments and remove unused or suspicious devices
Monitor cloud access and activity
- Enable logging and alerting on unusual access patterns, including new IP addresses, devices and user agents
- Set up alerts for large data downloads from SharePoint, OneDrive and other cloud services
- Monitor for known malicious user agents such as python-requests or Microsoft.Graph.Client
Block known phishing infrastructure
- Add domains reported by researchers (e.g., passkeyadd[.]com, passkeydeploy[.]com) to blocklists
- Regularly update threat intelligence feeds and block indicators of compromise
Educate employees against vishing and phishing
- Run awareness campaigns about voice phishing and common social engineering tactics
- Encourage staff to verify unusual requests independently before entering credentials
Develop rapid response procedures
- Establish playbooks for suspected account compromise
- Ensure incident response teams can quickly revoke access, reset credentials and investigate cloud audit logs
Preparing for evolving extortion threats
Proactive risk management
The Pink extortion group highlights the importance of layered security for cloud environments. Organisations should regularly assess their Microsoft 365 configurations, review user permissions and ensure sensitive data is protected by least privilege principles.
Proactive monitoring, employee training and rapid response capabilities are essential to reduce the impact of new extortion threats. As attackers adopt new brands and tactics, ongoing vigilance and adaptation are key.
Collaborate on threat intelligence
Share indicators of compromise and suspicious activity with trusted partners and cyber threat intelligence networks. Collaborating on detection methods helps the wider community defend against emerging threats like Pink.
Conclusion
The Pink extortion group’s emergence signals a shift towards faster, cloud-based data theft and extortion. By abusing vishing and Microsoft 365, Pink demonstrates the need for robust security controls, effective employee awareness and real-time monitoring. Organisations should act now to harden Microsoft 365 environments and stay ahead of evolving cyber threats.
Originally reported by thecyberexpress.com.
