A financially motivated group tracked as BlackFile has used vishing campaigns since February 2026 to impersonate IT helpdesk staff, steal employee credentials, and demand seven-figure ransoms from retail and hospitality organizations. Using stolen credentials to register devices and abuse Salesforce and SharePoint APIs, the attackers exfiltrate confidential data to a dark web leak site and sometimes employ swatting; Unit 42 and RH-ISAC link the group to broader criminal networks. #BlackFile #Salesforce
Keypoints
- BlackFile uses voice-based phishing (vishing) from spoofed VoIP numbers to impersonate IT helpdesk staff and harvest employee credentials.
- Attackers register their own devices to bypass multifactor authentication and escalate access to executive accounts by scraping internal directories.
- Stolen credentials are used to exfiltrate sensitive files from Salesforce and SharePoint via standard API and download functions, targeting terms like βconfidentialβ and βSSN.β
- Exfiltrated data is published on the gangβs dark web leak site and victims face seven-figure ransom demands, with swatting used to increase pressure.
- RH-ISAC and Unit 42 recommend strengthening call-handling policies, enforcing multifactor identity verification for callers, and conducting simulation-based social engineering training.