Phones that ring under the guise of IT support have quietly become breach vectors, as retail counters and hotel front desks field urgent calls that end with executive logins compromised and cloud data queued for export. A new assessment from Unit 42 and RH-ISAC identified BlackFile, tracked as CL-CRI-1116, active since February and credibly overlapping behaviors tied to UNC6671, Cordial Spider, and a collective known as “The Com.” The campaign leaned on voice-based social engineering and abused everyday software-as-a-service, sidestepping classic malware telltales while blending into SSO-authenticated sessions. What followed, investigators noted, looked less like smash-and-grab ransomware and more like steady extortion that monetized trust: credentials captured by phone, APIs turned into data valves, and seven-figure threats delivered from throwaway Gmail or hijacked corporate inboxes.
Playbook and Defenses
BlackFile began with vishing that sounded plausible because it copied helpdesk cadence: spoofed VoIP caller ID, ticket numbers that felt routine, and scripts tuned to SSO portals used by store associates and regional managers. Callers asked for password resets or nudged victims to read out one-time codes, timing requests to coincide with on-screen prompts from legitimate identity providers. To evade crude flagging, operators used antidetect browsers that randomized fingerprints and residential proxies that mapped to locations a brand’s workforce would expect. The result was a login timeline indistinguishable from a traveling district lead bouncing between stores, complete with credible IP geographies and normal user agents.
Building on that initial foothold, the cluster avoided implants and instead lived off sanctioned features. Device enrollment policies became the next lever: after authenticating once, attackers registered a “new” laptop or phone, then coasted through multi-factor checks that trust known endpoints. Address books and internal directories were mined to identify finance chiefs, legal counsel, and operations heads, creating a ladder for privilege escalation that matched executive workflows. With senior accounts in hand, lateral movement stayed quiet; session patterns mirrored real business hours, and access came through standard SSO tokens, reducing the chance that binary scanning, EDR heuristics, or odd user agents would light up a console.
This approach naturally led to SaaS as the target surface. SharePoint sites and Salesforce objects were combed with term searches like “confidential,” “SSN,” and “M&A,” then exported in bulk through built-in download flows or APIs that produced CSVs and reports. Transfers happened in-browser or via documented endpoints, authenticated by the victim’s own identity provider, so alarms tuned to malware beacons or unfamiliar tooling stayed silent. Extortion demands—often seven figures—arrived from random Gmail accounts or, more chillingly, from compromised executive mailboxes to heighten pressure. In several cases, threats escalated to SWAT-ing executives, an intimidation layer that weaponized public records. Defensively, the path forward had been concrete rather than novel: enforce strict helpdesk call-backs to known numbers, require high-friction reauthentication and device management for any new enrollment, baseline SaaS queries and exports for anomalies from residential IP ranges, and train frontline staff with simulations that normalize slowing down urgency tactics. Retail and hospitality teams that adopted these identity-centric and SaaS-aware controls had reduced dwell time, cut off device persistence, and turned BlackFile’s operational discipline into an observable pattern rather than an invisible one.
