Pink Extortion Group Uses Vishing to Bypass MFA and Steal Microsoft 365 Cloud Data
What Happened – A newly identified cyber‑crime gang calling itself “Pink Extortion Group” is leveraging voice‑phishing (vishing) calls to convince users to disclose one‑time passcodes, effectively sidestepping multi‑factor authentication (MFA) on Microsoft 365 accounts. Once authenticated, the actors harvest files from SharePoint, OneDrive, and Exchange mailboxes and threaten victims with public exposure unless a ransom is paid.
Why It Matters for TPRM –
- MFA bypasses undermine a core security control many third‑party vendors rely on.
- Cloud‑based data exfiltration can expose sensitive client information across multiple industries.
- Extortion tactics increase financial and reputational risk for organizations that outsource to Microsoft 365‑dependent service providers.
Who Is Affected – Enterprises and SaaS providers that store data in Microsoft 365 (SharePoint, OneDrive, Exchange) across sectors such as technology, finance, healthcare, and professional services.
Recommended Actions –
- Review MFA implementation (e.g., enforce hardware tokens, conditional access policies).
- Conduct phishing‑resilience training that includes voice‑phishing scenarios.
- Verify that third‑party vendors using Microsoft 365 have robust monitoring and data loss prevention (DLP) controls.
Technical Notes – Attack vector: vishing (voice phishing) to obtain MFA codes; no known CVE exploited. Data types stolen include documents, spreadsheets, and email communications. Source: HackRead