BlackFile Extortion Group Strikes Retail and Hospitality with Vishing Attacks
A newly identified extortion group, known as BlackFile, has been systematically targeting retail and hospitality businesses since February 2026. Security researchers from Palo Alto Networks Unit 42, in collaboration with the Retail and Hospitality Information Security and Analysis Center (RH-ISAC), published a detailed report on April 23. The report, titled Extortion in the Enterprise: Defending Against BlackFile Attacks, sheds light on the group’s financially motivated tactics.
This activity cluster, designated CL-CRI-1116, overlaps with publicly known threats like UNC6671 and Cordial Spider. Experts believe it is linked to the notorious collective “The Com.” Unlike many cybercriminal groups, BlackFile avoids custom malware. Instead, it relies on living off the land by misusing APIs and legitimate internal resources.
How BlackFile Uses Vishing to Breach Defenses
BlackFile’s primary entry point is through vishing attacks—voice phishing that impersonates an IT helpdesk. Attackers use spoofed VoIP numbers or fraudulent Caller ID names to hide their identity. Their goal is credential theft, often targeting one-time passwords.
To achieve this, they deploy phishing pages that mimic legitimate corporate single sign-on portals. Additionally, they employ antidetect browsers and residential proxies to mask their geographic location. This helps them bypass basic IP-based reputation filters, making detection harder.
Credential Theft and MFA Bypass
Once they steal a user’s credentials, BlackFile registers a new device to bypass multi-factor authentication (MFA). This step ensures persistent access. From there, they move laterally from standard employee accounts to high-privileged accounts. They scrape internal employee directories to build contact lists for executives.
By compromising senior accounts through further social engineering, they gain broad-spectrum access. This access mirrors legitimate executive session activity, making it difficult to flag as malicious.
Data Exfiltration and Extortion Tactics
Inside the victim’s network, BlackFile focuses on SaaS data discovery and API abuse. They scrape SharePoint sites, searching for keywords like “confidential” and “SSN.” They also target Salesforce for high-value files and reports.
Data exfiltration happens directly through the browser or via API exports. By leveraging Salesforce API access and standard SharePoint download functions, they move large volumes of data—including CSV datasets of employee phone numbers and confidential business reports—to attacker-controlled infrastructure. This activity often occurs under legitimate SSO-authenticated sessions to avoid triggering simple user-agent alerts.
Building on this, the group extorts victims via random Gmail addresses or compromised employee email accounts. They typically demand a seven-figure sum. In some cases, they resort to SWAT-ing C-suite executives to pressure payment.
Defending Against BlackFile Attacks
To mitigate these threats, organizations should focus on security policies and multi-factor identity verification for callers. Protocols around what information can be shared during calls are crucial. IT support actions should require escalation to management for sensitive requests.
Furthermore, security awareness training for frontline phone staff can be effective. Simulation-based scenarios help staff identify signs of social engineering, such as vague answers and high-pressure requests for immediate action. For more insights, check out our guide on cybersecurity best practices or learn about anti-phishing tools.
As a result, retail and hospitality businesses must stay vigilant. The BlackFile extortion group demonstrates how simple social engineering can lead to massive data breaches and financial loss. Proactive defense is the best countermeasure.