Pink Extortion Group Emerges Targeting Microsoft 365 Data

Unit 42 reports a new extortion brand called “Pink” (cluster CL-CRI-1147) that uses vishing to harvest Microsoft 365 credentials, then rapidly exfiltrates data from SharePoint/OneDrive via Microsoft Graph and automated requests before leveraging compromised accounts to send internal extortion messages; researchers observed multiple victim listings on a leak site and identified phishing domains and IPs tied to the operation.