Pink Extortion Group Emerges Targeting Microsoft 365 Data

The emergence of the Pink extortion brand marks a shift in cyber‑crime tactics, moving away from ransomware payloads toward pure data‑theft and intimidation. By operating under the CL‑CRI‑1147 cluster, researchers link Pink to the broader “Com” ecosystem, which has a history of targeting cloud services for profit. This rebranding strategy allows seasoned actors to shed past notoriety while preserving their operational playbook, making detection harder for defenders accustomed to legacy ransomware signatures.

Pink’s attack chain begins with voice‑phishing calls, where perpetrators pose as internal IT personnel and direct users to look‑alike domains such as passkeyadd.com. Once credentials—including multi‑factor tokens—are harvested, the group exploits Microsoft Graph APIs to enumerate and download files from SharePoint and OneDrive. The use of legitimate API calls blends malicious activity with normal administrative traffic, reducing the chance of triggering alerts. This rapid exfiltration model minimizes exposure time and maximizes the leverage attackers have when demanding payment.

The real danger lies in the group’s use of compromised accounts to send extortion notices via email and Microsoft Teams, giving the threat an aura of authenticity that can pressure executives into quick payouts. Infrastructure reuse—consistent phishing domains, DDoS‑Guard hosting, and residential proxies—demonstrates a disciplined, repeatable operation. Organizations should enforce strict MFA policies, monitor anomalous Graph API usage, and implement user‑behavior analytics to spot credential abuse. Regular phishing simulations and rapid incident response playbooks are essential to mitigate the growing risk posed by Pink and similar cloud‑focused extortion groups.