Extortion in the Enterprise: Defending Against BlackFile Attacks
Essential information
- Published
- 27/04/2026 18:11
- Modified
- 27/04/2026 16:31
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- blackfile cordial spider credential theft data exfiltration extortion saas attacks the com unc6671 vishing
- Tags
- 2026-04-27 blackfile cordial spider credential-theft data exfiltration extortion saas attacks the com unc6671 vishing
- Related entities
- 16 indicators, 16 observables, 1 intrusion sets (apt), 2 others
Description
Since February 2026, multiple incidents involving data theft and extortion have been attributed to activity cluster CL-CRI-1116, also known as BlackFile, UNC6671, and Cordial Spider. These financially-motivated attackers, likely associated with "The Com" collective, employ voice-based phishing combined with credential harvesting through fraudulent login pages. They impersonate IT support staff to steal credentials and bypass multi-factor authentication. The attackers focus on Living Off the Land techniques, abusing legitimate APIs like Microsoft Graph to access SharePoint sites and Salesforce data. They search for confidential information and employee data within SaaS environments, then exfiltrate it through browser downloads or API exports. To pressure victims into paying seven-figure ransoms, attackers send demands via Gmail and compromised email accounts, sometimes employing SWATting tactics against executives.