A newly observed extortion brand called Pink (CL-CRI-1147) that is actively targeting enterprise users to harvest cloud storage credentials and bypass multi-factor authentication.
The group’s leak site went live on May 31, 2026, and its operations combine social engineering with classic credential-phishing to quickly convert compromised accounts into extortion leverage.
Pink’s attack chain begins with vishing and IT-impersonation calls that lower user suspicion and create urgency. Operators pose as helpdesk or security staff, telling recipients that their account or device requires immediate action.
The voice interaction primes targets to expect a follow-up message or link, which arrives as a credential-phishing page designed to mimic corporate single sign-on and cloud storage portals.
Where MFA is present, Pink employs techniques such as real-time MFA prompt prompts, push fatigue, and one-time passcode interception to obtain the second factor alongside the password.
Once inside, attackers systematically search enterprise cloud storage and productivity suites for sensitive documents, intellectual property, and archived backups.
Public evidence on the leak site serves a dual purpose: it pressures victims to pay and advertises Pink’s capabilities to attract further victims or affiliates.
According to Palo Alto, the group copies or exfiltrates folders and files that can be used as proof of compromise, then notifies victims through the public leak site and direct extortion messages demanding payment to avoid publication.
This campaign is notable for its operational focus on human targeting rather than large-scale mass phishing.
Pink Hacking Group Targets Enterprises
By combining telephone-based social engineering with tailored credential pages and immediate exploitation of cloud services, Pink increases its success rate against organizations that rely on password-based authentication and reactive detection.
The group demonstrates an understanding of enterprise workflows searching shared drives, collaboration platforms, and archived emails so the most damaging exposures tend to be from accounts with broad access or weak session controls.
Defenders should assume an initial foothold will include valid credentials and consider the following mitigations: enforce phishing-resistant MFA (hardware tokens or FIDO2), implement conditional access policies to block anomalous logins, enable session controls and short token lifetimes for cloud services, and require step-up authentication for access to sensitive repositories.
Regularly audit and minimize excessive storage permissions, enable file access logging and retention for forensic review, and train staff on vishing tactics with simulated voice-impersonation exercises.
Rapid incident response that quickly revokes compromised credentials, rotates keys, and isolates affected storage can limit the amount of data exfiltrated.
Attribution remains early, but analysts classify Pink as a Com-aligned extortion brand leveraging affiliate-style operations. The group’s leak portal and observed tradecraft align with recent trends of financially motivated actors shifting from ransomware to targeted data extortion.
Organizations should treat extortion threats as part of their incident response playbooks and coordinate with legal and communications teams to avoid hasty payouts that encourage repeat targeting.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
