**BlackFile**, also tracked as CL-CRI-1116, UNC6671, and Cordial Spider, is employing increasingly sophisticated tactics to compromise organizations, according to a report shared by **Palo Alto Networks'** Unit 42 with the Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC). Unit 42 researchers have also tentatively linked **BlackFile** to "The Com," a network of cybercriminals known for targeting and recruiting young individuals for illicit activities. Attacks Begin with Vishing The group's attacks typically start with phone calls to employees, using spoofed numbers to impersonate IT support. These threat actors lure staff to fake corporate login pages, prompting them to enter their credentials and one-time passcodes. "The attackers behind CL-CRI-1116 use voice-based phishing (vishing) from spoofed Voice over Internet Protocol (VoIP) numbers or fraudulent Caller ID Names (CNAM) as a social engineering technique, typically posing as IT support staff," RH-ISAC stated in their report. "We can confirm that we are seeing a significant increase in Blackfile matters and that TTPs appear to be very similar to such groups as **ShinyHunters** and SLSH and similar copycats employing vishing/social engineering data exploit tactics," CyberSteward founder and CEO **Jason S.T. Kotler** told BleepingComputer. Bypassing MFA and Escalating Privileges Using stolen credentials, **BlackFile** attackers register their own devices to bypass multi-factor authentication (MFA). They then escalate access to executive-level accounts by scraping internal employee directories. Data Exfiltration and Extortion **BlackFile** steals data from victims' **Salesforce** and **SharePoint** servers using standard API functions, specifically targeting files containing sensitive information such as "confidential" and "SSN." The exfiltrated documents are downloaded to attacker-controlled servers and published on the gang's dark web data leak site before ransom demands are issued via compromised employee email accounts or randomly generated **Gmail** addresses.  "By leveraging **Salesforce** API access and standard **SharePoint** download functions, the attackers move large volumes of data – including CSV datasets of employee phone numbers and confidential business reports – to attacker-controlled infrastructure," RH-ISAC added. "This is often done under the guise of legitimate SSO-authenticated sessions to avoid triggering simple user-agent alerts." Swatting Attempts Employees of compromised companies, including senior executives, have also been targeted with swatting attempts. This tactic involves making false emergency calls to emergency responders to exert additional pressure on victims. **Mandiant** has also confirmed that they are actively responding to several vishing incidents that led to data theft and extortion, including one that used a **BlackFile** victim-shaming site (now offline). Mitigation Strategies To mitigate the success of **BlackFile**'s attacks, RH-ISAC recommends that organizations: * Strengthen their call-handling policies. * Enforce multi-factor identity verification for callers. * Conduct simulation-based social engineering training for frontline staff.