BlackFile extortion crew uses vishing to plunder Salesforce and SharePoint data

A financially motivated group calling itself BlackFile — also tracked as CL-CRI-1116, UNC6671, and Cordial Spider — has been hitting retail and hospitality targets since February 2026 with helpdesk impersonation attacks that end in seven-figure ransom demands. Unit 42 links the crew with moderate confidence to The Com, the English-speaking extortion ecosystem known for recruiting minors into violence and CSAM production. Mandiant and CyberSteward confirm the TTPs closely mirror ShinyHunters and SLSH playbooks.

The intrusion chain is almost entirely social. Operators spoof VoIP numbers and caller ID names, phone employees posing as IT support, and harvest credentials plus one-time passcodes through fake login portals. With those in hand, they enroll their own devices to defeat MFA, scrape internal directories to pivot to executives, then use legitimate Salesforce API calls and standard SharePoint download paths — under SSO-authenticated sessions — to pull CSVs and documents keyed on terms like “confidential” and “SSN.” Stolen data lands on attacker infrastructure and a dark web leak site before ransom notes arrive from hijacked mailboxes or throwaway Gmail accounts.

Pressure tactics extend offline: employees, including senior executives, have been swatted to force payment. Because the abuse rides on valid sessions and documented APIs, technical controls alone are insufficient. RH-ISAC’s guidance centers on the human layer — hardened call-handling procedures, out-of-band identity verification for anyone claiming to be IT, and recurring vishing simulations for frontline staff.