{ "Event": { "analysis": "1", "date": "2026-04-27", "extends_uuid": "", "info": "[Threat Intel] Extortion in the Enterprise: Defending Against BlackFile Attacks", "protected": false, "publish_timestamp": "1779545715", "published": true, "threat_level_id": "2", "timestamp": "1779545715", "uuid": "a1f5fe11-329c-4a45-865b-11130b757835", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#3000b9", "local": false, "name": "rectifyq:workflow=\"enrichment\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#10003d", "local": false, "name": "rectifyq:sub-category=\"TA-profile\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"APT\"", "relationship_type": "" }, { "colour": "#a42e64", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data from Information Repositories - T1213\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Device Registration - T1098.005\"", "relationship_type": "" }, { "colour": "#82eae0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Domains - T1583.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration to Cloud Storage - T1567.002\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Financial Theft - T1657\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Voice - T1566.004\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777345216", "to_ids": false, "type": "link", "uuid": "730ca85c-8afb-4b74-b202-02f3c090ae73", "value": "https://rhisac.org/threat-intelligence/extortion-in-the-enterprise-defending-against-blackfile-attacks/", "Tag": [ { "colour": "#6b003a", "local": true, "name": "workflow:todo=\"create-missing-misp-galaxy-cluster\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1777345216", "to_ids": false, "type": "text", "uuid": "2c43bb00-5c39-4889-8744-94fa5f166871", "value": "Since February 2026, multiple incidents involving data theft and extortion have been attributed to activity cluster CL-CRI-1116, also known as BlackFile, UNC6671, and Cordial Spider. These financially-motivated attackers, likely associated with \"The Com\" collective, employ voice-based phishing combined with credential harvesting through fraudulent login pages. They impersonate IT support staff to steal credentials and bypass multi-factor authentication. The attackers focus on Living Off the Land techniques, abusing legitimate APIs like Microsoft Graph to access SharePoint sites and Salesforce data. They search for confidential information and employee data within SaaS environments, then exfiltrate it through browser downloads or API exports. To pressure victims into paying seven-figure ransoms, attackers send demands via Gmail and compromised email accounts, sometimes employing SWATting tactics against executives." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1777345216", "to_ids": false, "type": "text", "uuid": "5ae1bf86-caef-4efa-a8f2-003ce8b8866c", "value": "Name: Extortion in the Enterprise: Defending Against BlackFile Attacks\nAuthor: AlienVault\nAdversary: CL-CRI-1116\nTags: [\"blackfile\", \"data exfiltration\", \"saas attacks\", \"unc6671\", \"extortion\", \"cordial spider\", \"the com\", \"credential theft\", \"vishing\"]\nTgtd countries: []\nMlwr families: []\nAttack_ids: []\nIndustries: [\"Retail\", \"Hospitality\"]" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1777629903", "to_ids": false, "type": "threat-actor", "uuid": "33c28943-15a4-42dd-9fd9-8a229c103c57", "value": "CL-CRI-1116", "Tag": [ { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"UNC6671\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777345216", "to_ids": true, "type": "ip-dst", "uuid": "0c6771c1-5dc2-48a4-b0d0-8f54b9618090", "value": "136.158.24.160" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777345216", "to_ids": true, "type": "ip-dst", "uuid": "b94d7e9b-c772-47d1-9966-98d4e7414550", "value": "112.209.151.78" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777345216", "to_ids": true, "type": "ip-dst", "uuid": "ffa45792-9d6a-4c8f-9fe4-a737ce1919e2", "value": "111.235.93.125" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777345216", "to_ids": true, "type": "ip-dst", "uuid": "20f63a50-58ee-40e9-b906-4f11c6c81f33", "value": "112.207.101.227" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777345216", "to_ids": true, "type": "ip-dst", "uuid": "e80f7634-4132-4247-9cd4-79bf55a5f2d6", "value": "112.207.108.30" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777345216", "to_ids": true, "type": "ip-dst", "uuid": "cb77f28e-9703-4744-a52c-a500efcf8ecd", "value": "119.111.248.227" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777345216", "to_ids": true, "type": "ip-dst", "uuid": "277407f9-0123-4ee3-a50b-898920b71bab", "value": "136.158.27.101" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777345216", "to_ids": true, "type": "ip-dst", "uuid": "a01e5701-6955-4c02-a95d-d02b0ddb2832", "value": "136.158.27.72" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777345216", "to_ids": true, "type": "ip-dst", "uuid": "e6ef798c-7b7c-4d7c-bbfe-8d7c5e3272e2", "value": "136.32.210.197" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777345216", "to_ids": true, "type": "ip-dst", "uuid": "413472ff-33d9-4a4b-a257-cef806f62c45", "value": "136.35.103.90" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777345216", "to_ids": true, "type": "ip-dst", "uuid": "3218ef9c-b642-4bdc-a24b-26b951efa840", "value": "184.93.0.17" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777345216", "to_ids": true, "type": "ip-dst", "uuid": "0c236046-46b5-4595-9647-fa70c51afa5f", "value": "185.193.127.130" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777345216", "to_ids": true, "type": "ip-dst", "uuid": "6b9f7d96-0359-4847-96b7-c94d8896c112", "value": "185.231.33.62" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777345216", "to_ids": true, "type": "ip-dst", "uuid": "da1d6e68-2eb8-43ff-aa9e-b58211e54ce7", "value": "24.177.37.97" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777345216", "to_ids": true, "type": "ip-dst", "uuid": "930e4a33-867a-4a38-bddf-aa379ce1c620", "value": "35.139.72.161" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777345216", "to_ids": true, "type": "ip-dst", "uuid": "a260eb46-fb9c-4c9f-9024-d5f3003f82db", "value": "72.180.124.192" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777629915", "to_ids": true, "type": "ip-dst", "uuid": "6559b4ca-e31d-4df6-a5a2-863336cc5b89", "value": "37.19.210.9" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777629916", "to_ids": true, "type": "ip-dst", "uuid": "7f6419f9-ae59-468b-934c-1f49c5c7cadc", "value": "146.70.172.228" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777629916", "to_ids": true, "type": "ip-dst", "uuid": "3560054a-24fe-4039-804a-5debbe56ab03", "value": "179.43.185.226" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777629916", "to_ids": true, "type": "ip-dst", "uuid": "88366863-4857-4dc8-9f79-3737f4cc87fb", "value": "199.127.61.200" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777629916", "to_ids": true, "type": "ip-dst", "uuid": "189a612e-60c7-4b1c-b07f-1ae172d195b5", "value": "208.131.130.67" } ] } }