BlackFile Extortion Group: 7-Figure Ransoms Hit Retail Via Vishing MFA Bypass

BlackFile's attack chain requires no vulnerability, no exploit, and no malware — only a phone call and a convincing IT support persona.

Operators initiate contact via spoofed Voice over Internet Protocol (VoIP) numbers with fraudulent Caller ID Names (CNAM) designed to display as internal IT helpdesk lines. The social engineering pretext is typically urgent: a flagged suspicious login requiring immediate verification, a mandatory MFA enrollment update, or a credential reset tied to a security incident. Frontline employees in retail environments with high helpdesk interaction rates are the primary targets.

Victims are directed to attacker-controlled phishing pages that mirror the organization's genuine SSO portal with high fidelity. When a victim enters their username, password, and time-based one-time password (TOTP), a reverse proxy relays these credentials to the legitimate SSO service in real time — bypassing the TOTP's 30-second validity window. The stolen session is immediately used to enroll an attacker-controlled device in Microsoft Entra ID, granting it trusted, MFA-enrolled status.

With a persistent, MFA-bypassed session established, BlackFile operators scrape internal employee directories, identifying executive and senior-level accounts for privilege escalation. Antidetect browsers combined with residential proxy infrastructure mask geographic origin, defeating location-based Conditional Access policies. The entire sequence from initial vishing call to persistent executive-level access has been completed in under 90 minutes in confirmed Mandiant incident response engagements.

BlackFile's sector focus is not incidental — it reflects a calculated assessment of where vishing attacks are most likely to succeed and where the highest-value exfiltration targets are concentrated.

Retail and hospitality organizations share three characteristics that make them ideal BlackFile targets. First, distributed workforces and high helpdesk interaction rates mean employees are accustomed to IT support calls and are less likely to apply rigorous verification. A retail associate accustomed to receiving calls from central IT about POS system updates or VPN credential resets has little basis to distinguish a legitimate call from a spoofed one. Second, these sectors maintain large Salesforce CRM deployments containing millions of customer records, employee PII, and confidential business documents — exactly the data BlackFile targets in its exfiltration phase. Third, retail and hospitality organizations often under-invest in security operations relative to their data exposure, creating a favorable attacker-to-defender capability gap.

BlackFile's campaign escalated against these sectors in February 2026, with RH-ISAC issuing a sector-wide alert on April 24, 2026 following confirmed incidents across multiple member organizations. The group has struck at least a dozen retail chains, with individual victim losses including both the extortion demand and significant operational disruption costs.

Similar vishing-led extortion targeting hospitality was documented in the [Booking.com STORM-1865 ClickFix campaign](/blog/booking-com-storm-1865-clickfix-reservation-breach) in early 2026, suggesting a broader attacker interest in credential theft from consumer-facing service businesses.

BlackFile's exfiltration methodology represents a significant evolution in how extortion groups approach data theft. Rather than deploying custom malware, post-exploitation frameworks, or exploit-based lateral movement, BlackFile operators use the legitimate API access that enterprise applications grant to authenticated users.

Once inside a Salesforce instance, attackers use standard export and download functions to pull CSV datasets of customer records, employee information, and confidential business documents. The Microsoft Graph API provides equivalent access to SharePoint content — a standard function that any properly authenticated Microsoft 365 session can invoke. Searches are targeted: BlackFile specifically hunts for documents containing keywords including 'confidential' and 'SSN,' maximizing extortion value.

This approach has significant defensive implications. Traditional DLP tools configured to detect malware behavior or unusual process activity will not flag a legitimate Salesforce export performed under a legitimately authenticated — but attacker-controlled — session. Detection requires inspecting session behavior itself: bulk downloads, off-hours activity, the Python-requests/2.28.1 user-agent that RH-ISAC identified as a consistent BlackFile IOC, and Graph API calls from unexpected geographic origins.

The exfiltration is completed before victim contact begins. By the time a ransom demand arrives, the data is already on attacker infrastructure and published on the dark web — the same pre-extortion publication model seen in the [ShinyHunters Salesforce breach of McGraw-Hill](/blog/shinyhunters-mcgraw-hill-salesforce-breach-45-million), creating maximum pressure before any negotiation begins.

Attribution of BlackFile has been performed by multiple threat intelligence teams. Palo Alto Networks Unit 42 tracks the group as CL-CRI-1116, assessing with moderate confidence a connection to The Com — a loose-knit network of primarily English-speaking young cybercriminals with documented involvement in extortion, violence, swatting, and the recruitment of minors for criminal activity. Mandiant tracks the same cluster as UNC6671, and CrowdStrike uses the alias Cordial Spider, indicating broad industry agreement on the group's existence and activity.

The Com connection matters operationally because it elevates BlackFile beyond a standard financially motivated threat actor. The Com has a documented history of SWATting — reporting false emergencies to law enforcement to trigger armed police responses at the home addresses of extortion targets. Multiple BlackFile victims have experienced SWATting incidents targeting corporate executives during ransom negotiations, introducing a real-world physical danger component that most enterprise security programs are not designed to manage.

For defenders, The Com attribution also means the attacker profile includes individuals motivated by notoriety and disruption as well as financial gain — making negotiation dynamics less predictable than with purely financially motivated RaaS operators. The group's English-language fluency and inside knowledge of corporate helpdesk procedures suggests either direct experience in corporate environments or significant pre-campaign reconnaissance.

The Anubis RaaS group's combination of financial extortion and operational disruption [documented in April 2026](/blog/anubis-ransomware-signature-healthcare-brockton) shows surface similarities, but BlackFile's physical escalation capability is a distinct threat vector organizations must incorporate into their incident response planning.

RH-ISAC's April 24, 2026 advisory contains the most comprehensive public set of BlackFile indicators of compromise, including 21 attacker-controlled IP addresses and the Python-requests/2.28.1 user-agent string. Detection of BlackFile activity is feasible before significant exfiltration occurs — if the right signals are being monitored.

The highest-value detection opportunity is the device registration event that establishes MFA-bypassed persistence. Microsoft Entra ID logs will show a new device enrollment from an IP address or user-agent not previously associated with the account. Conditional Access policies configured to require admin approval for new device registrations, or to flag registrations from locations not previously associated with the user, will surface this activity in near real-time.

In Salesforce, the key signal is bulk export activity — particularly exports of Contact, Lead, and Account records containing PII — performed outside standard business hours or from IP addresses in the published BlackFile IOC list. Salesforce's Event Monitoring add-on provides the granular session-level logs needed. Similarly, Microsoft Graph API calls pulling large volumes of SharePoint files should alert in CASB or SSPM tools configured for anomalous download behavior.

BlackFile's attack chain has four distinct intervention points: the vishing call, the credential harvest, the device registration, and the exfiltration. Defensive controls addressing any one of these points can break the kill chain before significant damage occurs.

BlackFile ransomware vishing attacks have proven that an extortion group can achieve seven-figure ransom demands without any malware, without any exploit, and without triggering any conventional security control — using only a phone call and an employee's instinct to help IT. Block all 21 RH-ISAC IOC IP addresses now, enable Conditional Access device registration controls today, and run a vishing simulation for frontline staff this week. The attack chain is simple — and it is equally simple to break before the data leaves.