A newly identified financially motivated threat group tracked as BlackFile (also CL-CRI-1116, UNC6671, and Cordial Spider) has been linked to a wave of data theft and extortion attacks targeting retail and hospitality organizations since February 2026, according to intelligence shared with RH-ISAC by Palo Alto Networks' Unit 42. The group impersonates corporate IT help desk staff, harvests employee credentials through vishing, and demands seven-figure ransoms after exfiltrating sensitive data from Salesforce and SharePoint environments.

What Happened

Unit 42 researchers and RH-ISAC disclosed that BlackFile operators have systematically targeted retail and hospitality victims by placing voice-based phishing calls from spoofed VoIP numbers with fraudulent caller ID names. Posing as internal IT support, attackers direct employees to fake corporate login pages designed to capture both credentials and one-time passcodes. Once initial access is established, the actors register their own devices to bypass multi-factor authentication, scrape internal employee directories, and pivot toward executive-level accounts. Researchers have linked BlackFile with some confidence to "The Com," a loose network of English-speaking cybercriminals known for extortion, violence, and CSAM production. Compromised employees, including senior executives, have also been targeted for swatting via false emergency calls to local responders.

What Was Taken

BlackFile leverages legitimate Salesforce API functions and standard SharePoint download functionality to exfiltrate data under the cover of authenticated SSO sessions. Operators specifically search for files containing terms such as "sensitive" and "SSN," and have stolen CSV datasets of employee phone numbers, internal business reports, and other proprietary documents. Stolen materials are transferred to attacker-controlled infrastructure and subsequently published on the group's dark web data leak site as leverage. Victims are then contacted with seven-figure ransom demands sent from a compromised employee email account or a freshly registered Gmail address.

Why It Matters

BlackFile's tradecraft mirrors that of ShinyHunters, SLSH, and other Com-affiliated copycats that have repeatedly bypassed mature enterprise security controls through human-layer attacks. By abusing legitimate API surfaces and SaaS authentication flows rather than deploying conventional malware, the group sidesteps endpoint detection and many SaaS monitoring rules tuned for unusual user agents or anomalous binaries. The combination of large-scale data theft, public leak-site shaming, and physical-world swatting against executives raises both the financial and personal cost of victimization, and signals that retail and hospitality verticals, which hold rich consumer and workforce datasets, will remain priority targets through 2026.

The Attack Technique

The intrusion chain begins with a spoofed VoIP call to a targeted employee. The caller, posing as IT support, walks the victim to a credential harvesting page that captures username, password, and MFA one-time passcode. Operators then enroll an attacker-controlled device into the identity provider, defeating subsequent MFA challenges, and pull employee directory data to identify high-value executive accounts for further compromise. With elevated identity in hand, BlackFile authenticates to Salesforce and SharePoint using legitimate SSO sessions and uses native API and download functionality to bulk-pull data matching keywords such as "sensitive" and "SSN." Exfiltrated content is staged on attacker infrastructure, posted to the group's leak site, and used to pressure victims via ransom messages delivered from compromised mailboxes or throwaway Gmail accounts.

What Organizations Should Do

  1. Harden help desk and IT support workflows: require out-of-band verification before any credential or MFA reset, and train employees to hang up and call back on a verified internal number.
  2. Move toward phishing-resistant authentication such as FIDO2 hardware keys or platform passkeys for all corporate accounts, prioritizing executives, finance, and IT.
  3. Restrict and monitor device registration in your identity provider: alert on new device enrollments, especially from atypical geographies or immediately following an MFA challenge.
  4. Instrument Salesforce and SharePoint for bulk-export and API-driven data access anomalies, including keyword-based searches for terms like "SSN" and large CSV downloads under SSO sessions.
  5. Limit broad access to internal employee directories and apply least-privilege scoping to executive identity attributes that enable targeted social engineering.
  6. Establish an executive protection protocol covering swatting risk, including local law enforcement liaison, family awareness, and home-address scrubbing from data brokers.

Sources: New BlackFile extortion group linked to growing number of malicious attacks - Techdesk