Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Apr 25, 2026 · 6 min read

This Extortion Gang Calls Before It Hacks—BlackFile Uses Voice Phishing to Breach Retail and Hotel Chains

A new financially motivated group called BlackFile has been using phone calls to trick employees into handing over their corporate credentials and MFA codes since February 2026. Once inside, they steal confidential files through Salesforce and SharePoint APIs, then demand seven figure ransoms.

An empty retail checkout counter at night with a phone off the hook and a corporate login screen visible, representing the BlackFile voice phishing campaign

How BlackFile Gets In: A Phone Call

BlackFile does not start with a phishing email. It starts with a phone call. Attackers use spoofed VoIP numbers and fraudulent caller IDs to impersonate IT support staff, then direct employees to fake corporate login pages that capture both their credentials and one time passcodes. The technique is called vishing, short for voice phishing, and it bypasses email security filters entirely because the attack never touches an inbox.

Palo Alto Networks' Unit 42 first identified the group, which is also tracked as CL-CRI-1116, UNC6671, and Cordial Spider. Unit 42 linked BlackFile with "moderate confidence" to The Com, a broader cybercriminal network involved in extortion and recruitment schemes that has attracted attention from law enforcement since 2023.

Bypassing MFA Without Breaking It

Once BlackFile has an employee's credentials and a valid one time passcode, they do not simply log in and hope for the best. They register their own devices on the target's multi factor authentication system. This step is critical: it means the attackers no longer need to intercept future MFA codes. Their device is now a trusted part of the authentication chain.

From there, the group scrapes internal employee directories to identify executive level accounts. By pivoting upward through the organization, they gain access to the most sensitive systems and data. Their sessions masquerade as legitimate SSO logins, making them difficult to distinguish from normal employee activity in security logs.

What They Steal and How

BlackFile uses standard Salesforce and SharePoint API functions to search for and exfiltrate files containing terms like "confidential" and "SSN." The group moves large volumes of data, including CSV datasets of employee phone numbers and confidential business reports, to their own infrastructure.

The use of standard APIs rather than custom malware makes detection harder. Security tools that monitor for known malicious software may not flag API calls that look identical to legitimate business operations. The difference between a finance team member downloading a quarterly report and an attacker exfiltrating that same file through the same API endpoint is often invisible without behavioral analytics.

The Extortion Playbook

BlackFile publishes stolen documents on its dark web leak site before sending ransom demands, a reversal of the typical ransomware sequence where data is encrypted first and leaked only if the victim refuses to pay. The ransom demands are reportedly in the seven figures.

The demands arrive through compromised employee email accounts or random Gmail addresses, making them easy to dismiss as spam until the victim checks the leak site and finds their own confidential data. Some victims have also faced swatting attempts, where attackers make false emergency reports to send armed police to the victim's location, adding physical intimidation to the digital pressure.

Why This Follows the Email to Phone Pipeline

BlackFile represents the evolution of email based attacks. Traditional phishing starts in the inbox, but as organizations have invested in email security filters, DMARC enforcement, and link scanning, attackers have shifted to the phone. The technique is the same, only the delivery channel changed: impersonate someone the target trusts, create urgency, and harvest credentials.

This mirrors what happened with the ATHR AI vishing platform, which automated voice phishing calls against Gmail and Microsoft 365 users. It also follows the pattern that ADT's breach by ShinyHunters demonstrated: voice phishing to compromise Okta SSO, then lateral movement into Salesforce. The common thread is that the phone has become the new inbox for social engineering.

For email privacy, the downstream effects are direct. Once attackers access Salesforce and SharePoint through stolen credentials, they gain access to email templates, customer contact lists, and internal correspondence, all of which can be weaponized for more targeted phishing campaigns against the breached company's customers.

How Organizations Can Defend Against Vishing

The Retail and Hospitality Information Sharing and Analysis Center (RH-ISAC) has issued specific guidance for defending against BlackFile's techniques:

  • Strengthen call handling policies. IT helpdesks should never direct callers to login pages or accept credential information over the phone
  • Enforce multifactor identity verification for callers. Require a second verification step before any account changes, password resets, or MFA device registrations
  • Conduct simulation based social engineering training. Employees need practice recognizing vishing calls, not just phishing emails
  • Monitor MFA device registrations. Alert on any new device enrollment, especially when it follows a helpdesk interaction
  • Audit Salesforce and SharePoint API access. Flag bulk downloads and searches for sensitive terms like "SSN" or "confidential"
  • Implement phishing resistant MFA. Hardware security keys and passkeys cannot be intercepted through a phone call

Stop Email Tracking in Gmail

Spy pixels track when you open emails, where you are, and what device you use. Gblock blocks them automatically.

Try Gblock Free for 30 Days

No credit card required. Works with Chrome, Edge, Brave, and Arc.