Pink Hacking Group Steals Enterprise Cloud Pass Attacking Users

According to researchers, the Pink hacking group is affiliated with the broader Com network, a loose community of cybercriminals known for aggressive social engineering campaigns.

The group also shares tactical similarities with other well-known threat actors such as Lapsus$, Scattered Spider, and ShinyHunters, suggesting a shared playbook among these communities.

Once Pink gains access to an employee’s account, the attackers move fast. They use Microsoft’s own built-in automation tools to sweep through cloud storage environments, draining files from OneDrive and SharePoint folders within minutes.

With the stolen data in hand, the group turns to compromised accounts to send internal Microsoft Teams messages and emails demanding payment, giving executives a tight 72-hour window to respond.

This internal messaging tactic makes the extortion feel more urgent and legitimate to victims.

The group also shows signs of being a possible rebrand of an older operation. Google Threat Intelligence Group analysts have assessed that after the BlackFile brand retired in May 2026, the group may have briefly operated as Redact before surfacing again as Pink.

This pattern of rebranding is common among sophisticated extortion crews seeking to evade tracking.

New Pink Hacking Group Attacking Enterprise Users

Pink’s effectiveness lies in how it avoids triggering standard security tools. Since the group uses legitimate employee accounts and Microsoft’s own internal tools to move data, most firewalls and endpoint detection systems simply do not flag the activity as suspicious.

The attackers direct victims to phishing domains such as passkeydeploy.com and deploypasskey.com, where session cookies are captured, allowing the group to bypass MFA entirely without needing the victim’s password again.

In addition to credential theft, Pink also uses fileless techniques to stay hidden within compromised environments. Rather than dropping large files onto a hard drive, the group runs small code commands that build their payload directly in the computer’s temporary memory.

This means standard antivirus programs that scan folders and drives will not detect any threat. The code also performs environment checks, and if it detects a security research sandbox, it quietly suppresses its own behavior to avoid analysis.

Protecting Your Organization From Vishing Attacks

Security experts urge organizations to take a practical, people-first approach to defending against groups like Pink.

Employees should be trained to independently verify any unexpected IT phone call before following instructions, especially when asked to visit a link or enter credentials.

Help desk teams should have strict identity verification procedures in place that cannot be bypassed through social pressure alone.

On the technical side, organizations are advised to migrate from standard one-time password MFA to phishing-resistant authentication methods such as FIDO2 hardware keys.

Security teams should monitor cloud environments for unusual spikes in file downloads, review OAuth token grants and API permissions, and block known phishing domains linked to Pink’s infrastructure.

Deploying behavioral monitoring tools that flag large, sudden data transfers before they leave the network can also make a critical difference.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.