What is Lyrie Research?

Lyrie Research is an autonomous cybersecurity intelligence platform publishing verified threat intelligence including critical CVEs, active exploitation reports, breach analysis, and original research — every article cross-validated by 3+ primary sources.

How does Lyrie.ai protect against rogue AI threats?

Lyrie.ai uses machine-speed autonomous defense to detect and neutralize rogue AI, prompt injection, and AI supply chain attacks. It responds before human analysts can react.

What cybersecurity topics does Lyrie Research cover?

Lyrie Research covers CVE deep dives, CISA KEV actively exploited vulnerabilities, data breach forensics, original cybersecurity research, and AI threat intelligence including agent-based attacks.

How often is Lyrie Research updated?

Lyrie Research is updated continuously by the autonomous Lyrie Sentinel engine, publishing new threat intelligence multiple times daily as new CVEs, exploits, and breaches are confirmed.

Is Lyrie Research free to access?

Yes, all articles on Lyrie Research are freely accessible. For active protection by the same intelligence engine, visit lyrie.ai.

The Helpdesk Call That Owns Your Cloud: Complete Defender's Playbook for Vishing-to-SaaS Extortion (BlackFile / CL-CRI-1116)

← Defensive-Playbook

0 sources verified·10 min read

By Lyrie Threat Intelligence·4/30/2026

TL;DR

A loosely affiliated English-speaking crew tracked as BlackFile (also: CL-CRI-1116, UNC6671, Cordial Spider) has been executing a devastatingly simple playbook since February 2026: call an employee, pretend to be IT, harvest credentials and a live TOTP code, register an attacker-controlled device to bypass MFA, then drain every SaaS environment you can reach via Microsoft Graph and Salesforce APIs. The RH-ISAC issued a sector-wide alert on April 24, 2026, following confirmed incidents across multiple retail and hospitality member organizations. Seven-figure ransom demands. Swatting of executives. No custom malware anywhere in the chain.

This is a defender's playbook for the entire kill chain—what to detect, how to respond, and why every traditional control fails against a patient human caller armed with an internal directory.

Background: Who Is BlackFile?

BlackFile is not a sophisticated nation-state. It is financially motivated, largely English-speaking, and with moderate confidence linked by Unit 42 to The Com—the loosely organized cybercrime collective known for aggressive social engineering, swatting, and recruitment of minors into criminal operations [1].

The group surfaces in public attribution under multiple aliases:

BlackFile — the name the group uses for its data leak site (DLS)
CL-CRI-1116 — Unit 42 / Palo Alto Networks tracking cluster
UNC6671 — Google Mandiant designation, noting overlap with ShinyHunters SaaS theft expansion [2]
Cordial Spider — CrowdStrike adversary designation [3]

The overlapping designations reflect competing vendor attribution with shared TTP fingerprints, not distinct groups. The TTPs are consistent: no malware, no exploits, pure identity abuse.

Their activity began in January 2026, escalated in February, and reached full operational pace by April. Mandiant confirmed active incident response involvement in multiple vishing cases, including at least one using a now-offline BlackFile victim-shaming site.

Technical Analysis: The Full Attack Chain

Phase 0: Resource Development (T1583.001)

Before the first call is placed, BlackFile operators build their infrastructure:

SSO phishing clones — pixel-perfect replicas of corporate Okta, Microsoft Entra, or CyberArk SSO pages, often hosted on domains like corp-helpdesk[.]support or via subdomain spoofing
Antidetect browsers — commercial tools (GoLogin, Multilogin, Linken Sphere) that randomize fingerprint, canvas hash, screen resolution, and browser entropy to defeat behavioral fraud controls
Residential proxies — sessions routed through compromised home IP ranges in the victim's country/state, defeating IP reputation and geo-based Conditional Access policies
TOTP relay infrastructure — real-time phishing panels (EvilProxy, Modlishka variants) capable of proxying OTP codes in under three seconds, faster than most users register the prompt is suspicious

Internal employee directories—the feedstock for initial targeting—come from LinkedIn scraping, prior breach data, and in some cases from compromised executive accounts at earlier victims where an internal org chart was exfiltrated.

Phase 1: Initial Access — The Vishing Call (T1566.004)

The attack starts with a phone call. The caller ID is spoofed to display a number that matches the organization's internal IT helpdesk or a recognized carrier. The caller's pitch is one of several well-rehearsed scenarios:

"We've detected unusual sign-in activity on your account. I need to verify your identity and reset your access."
"IT is rolling out a mandatory MFA update today. I need to walk you through the step."
"Your account triggered a DLP policy alert. Compliance requires we verify your access before end of business."

The urgency is calibrated. The social proof is specific (they often know the employee's name, team, manager, and recent work activity pulled from LinkedIn or prior recon). The ask is narrow: just log into this portal so we can verify.

The portal is the SSO clone. The employee enters credentials. The phishing panel relays them to the real SSO in real time and requests an MFA push or TOTP. The employee enters the code. The attacker's backend completes the authentication and captures a live session token before the 30-second TOTP window expires.

Key insight: This attack succeeds because employees are trained to answer security-sounding calls from IT. Security awareness training that focuses on email phishing produces employees who will click on a phone instead.

Phase 2: MFA Bypass and Device Registration (T1098.005)

With a live authenticated session, the first move is device registration—adding an attacker-controlled endpoint to the victim's identity provider as a "trusted device." In Microsoft Entra / Azure AD environments, this is executed via the Device Registration endpoint (https://device.login.microsoftonline.com).

Once a device is registered, subsequent authentication from that device bypasses TOTP prompts entirely. The attacker now has durable access that survives password resets (unless the device registration itself is revoked).

From the initial compromised account, the attackers move laterally using a predictable pattern:

1. Internal directory scraping — query Microsoft Graph API (/v1.0/users?$top=999) or Salesforce SOQL to enumerate all employees, their roles, and contact information

2. Executive targeting — identify CFO, CPO, VP Engineering, or General Counsel accounts

3. Second-wave vishing — call or message those executives, now with additional social proof sourced from the internal directory: "Hi, this is [real employee name] from IT, I'm working through a ticket system issue…"

4. Account escalation — compromise the executive account, gaining Salesforce sysadmin or SharePoint site collection admin permissions

Phase 3: Data Collection and Exfiltration (T1213 / T1567.002)

BlackFile's exfiltration is methodical and API-native. No custom malware means no EDR alerts on process injection. No lateral movement tooling means no Mimikatz or BloodAD flags. The entire exfiltration pipeline runs through legitimate authenticated API sessions.

Microsoft Graph (SharePoint):

GET /v1.0/sites/{siteId}/drives/{driveId}/root/children
GET /v1.0/sites/search(q='confidential')
GET /v1.0/sites/search(q='SSN')

The Sites.Read.All Graph permission—often granted broadly in enterprise Microsoft 365 tenants—is sufficient to download every SharePoint document across the organization.

Salesforce API:

SELECT Id, Name FROM Document WHERE Name LIKE '%confidential%'
SELECT SSN__c, First_Name__c, Last_Name__c FROM Contact

Standard Salesforce REST API calls over authenticated OAuth sessions. The data looks identical to legitimate reporting tool traffic.

Data is staged to attacker-controlled infrastructure or exfiltrated via commercial file-sharing services (MEGA, LimeWire). Sessions are designed to mimic legitimate business activity—business hours, realistic transfer rates, user-agent strings matching the victim's standard browser.

Phase 4: Extortion and Leverage (T1657)

Ransom demands arrive via:

Compromised employee accounts — email from a real internal address dramatically increases credibility and confusion
Burner Gmail addresses — for follow-up pressure
The BlackFile DLS — data published with a countdown timer before public release

Demands are typically seven figures. Leverage includes:

Swatting — false emergency calls made to law enforcement, directing armed response to executives' home addresses
Direct harassment — employees at multiple levels receive personal communications
Incremental leaks — partial data dumps as negotiation pressure

The use of swatting as a tactical extortion tool makes BlackFile materially more dangerous than typical data theft gangs. Law enforcement response to swatting events has, in some documented cases, resulted in physical danger.

IOCs / Indicators

Note: Specific domain IOCs rotate rapidly. The following behavioral patterns are higher-fidelity detection signals than static IOCs.

Infrastructure fingerprints (search in proxy/DNS logs):

Domains registered within 7 days of first contact with the organization
SSO-impersonating domains: patterns like corp-helpdesk[.], sso-verify[.], identity-portal[.], okta-support[.]
ASNs associated with residential proxy providers (e.g., Luminati/Bright Data, Oxylabs, IPRoyal reseller ranges)

Identity provider telemetry:

New device registration from a previously unseen IP/ASN immediately following a successful MFA event
Graph API queries for /v1.0/users?$top=999 or bulk directory enumeration from a non-service-account user
Sites.Read.All permission use from a user account (not a registered app) accessing more than 10 SharePoint sites in under 60 minutes
Salesforce bulk export or SOQL queries containing SSN, confidential, password from non-admin user sessions

Telephony indicators:

VoIP calls to employee extensions from numbers with CNAM spoofed to internal IT values
Spike in helpdesk call volume correlated with subsequent account anomaly alerts (temporal correlation window: 0–30 minutes)

Lyrie Take: Why Autonomous Defense Changes This Equation

BlackFile's playbook is built on a precise assumption: defenders react slower than humans can lie.

The attack window between a successful vishing call and completed exfiltration is typically under four hours in observed incidents. The complete kill chain—call, credential capture, device registration, directory scrape, executive account compromise, SaaS exfiltration—can run in under six hours when the attacker is experienced and the target is unprepared.

The fatal gap is between the moment an attacker-controlled device registers in your identity provider and the moment your security team reviews the alert. In most organizations, that gap is measured in hours. In understaffed environments, it is measured in days.

What machine-speed autonomous detection changes:

A system monitoring Entra sign-in logs in real time can flag device registration events within seconds. Correlating device registration origin against the immediately preceding IP history (was there a successful TOTP event from a new geographic location 40 seconds ago?) is a deterministic detection that requires no human judgment—only speed. An autonomous response that immediately quarantines the registered device and forces re-authentication on that session can compress the attacker's operational window from hours to under three minutes.

Lyrie's architecture is built around exactly this class of identity anomaly. The correlation between "successful MFA bypass" → "immediate new device registration" → "Graph API bulk directory query" is a three-event chain that produces near-zero false positives and fires within the same minute the attack occurs. The attacker's residential proxy and antidetect browser defeat IP reputation and fingerprint checks—they cannot defeat temporal logic applied to authenticated session events.

The human-speed gap is BlackFile's business model. Closing it is a machine-speed problem.

Defender Playbook

Tier 1: Prevent the Call from Working

Training that actually covers vishing:

Explicit scenario: "IT will never call you and ask you to log into a portal."
Callback verification policy: any caller claiming to be IT must be verified via a known-good number (internal directory, not caller-provided)
Executive briefing: VPs and C-suite are higher-value targets, not lower-risk ones

Technical controls on the telephony layer:

Deploy STIR/SHAKEN attestation validation on inbound VoIP
Flag inbound calls where CNAM matches internal extensions from external numbers
Consider implementing a "help desk callback" policy enforced by workflow

Tier 2: Detect the Credential Capture in Real Time

MFA anomaly detection (Entra / Okta):

DETECT: Successful TOTP MFA event from IP not seen in 30-day history
AND: User account has no travel history or VPN usage
AND: TOTP entry occurred within 5 seconds of code generation
→ ALERT: Possible real-time TOTP relay attack
→ ACTION: Force re-authentication, disable active sessions, alert SOC

Device registration gating:

Require a second admin approval for new device registration from unrecognized IP ranges
Alert immediately on any device registration not correlated with a known IT deployment workflow
Audit device registration events daily; revoke unrecognized devices automatically if not acknowledged within 2 hours

Tier 3: Detect the Lateral Movement and Data Theft

Graph API monitoring (Azure Monitor / Sentinel):

AuditLogs
| where OperationName == "Add device"
| join kind=inner (
    SigninLogs
    | where AuthenticationRequirement == "multiFactorAuthentication"
    | where ResultType == "0"
) on UserId
| where abs(datetime_diff('second', TimeGenerated, TimeGenerated1)) < 120
| project UserPrincipalName, IPAddress, DeviceName, AuthIP=IPAddress1

Salesforce anomaly detection:

Enable Salesforce Event Monitoring (Transaction Security Policies)
Alert on SOQL queries containing sensitive field names from non-admin profiles
Alert on bulk export events (>500 records) outside business hours or from unrecognized IP

SharePoint exfiltration detection (DLP + Purview):

Enable Microsoft Purview communication compliance for Sites.Read.All bulk downloads
Alert on single-session downloads exceeding 500MB from non-sync clients
Label sensitive files (SSN, financial, confidential); alert on bulk label-matched downloads

Tier 4: Incident Response Runbook (First 4 Hours)

T+0: Alert fires (device registration anomaly or MFA relay detection)
T+5m: SOC analyst reviews: confirm attacker device, map session timeline
T+10m: Identity response: revoke all sessions for compromised account, 
       disable attacker device registration, force password reset
T+15m: Scope mapping: query Graph for all API activity in past 2h 
       from compromised account (downloads, queries, delegated app grants)
T+30m: Affected systems: check Salesforce login history for same credential source IP
T+45m: Executive notification if any exec accounts accessed
T+60m: Telephony review: request call records from telecom, identify originating number
T+90m: Legal/PR standby if exfiltration confirmed
T+2h: Full audit of registered devices across all affected users
T+4h: Incident report draft: scope, TTPs, data classes potentially affected

If swatting threat is received:

Immediately notify local law enforcement with context ("extortion threat, swatting probable")
Provide home addresses of named executives to local PD proactively
Do not negotiate; involve FBI IC3 immediately

Sources

1. Palo Alto Networks Unit 42 / RH-ISAC — "Extortion in the Enterprise: Defending Against BlackFile Attacks" (April 24, 2026): https://rhisac.org/threat-intelligence/extortion-in-the-enterprise-defending-against-blackfile-attacks/

2. Google Mandiant — UNC6671 / ShinyHunters SaaS Expansion: https://cloud.google.com/blog/topics/threat-intelligence/expansion-shinyhunters-saas-data-theft

3. CrowdStrike — Cordial Spider adversary profile: https://www.crowdstrike.com/en-us/adversaries/cordial-spider/

4. BleepingComputer — "New BlackFile extortion group linked to surge of vishing attacks" (April 24, 2026): https://www.bleepingcomputer.com/news/security/new-blackfile-extortion-gang-targets-retail-and-hospitality-orgs/

5. Microsoft Security Blog — "Inside an AI-enabled device code phishing campaign" (April 6, 2026): https://www.microsoft.com/en-us/security/blog/2026/04/06/ai-enabled-device-code-phishing-campaign-april-2026/

6. Infosecurity Magazine — "BlackFile Group Targets Retail and Hospitality with Vishing Attacks" (April 28, 2026): https://www.infosecurity-magazine.com/news/blackfile-group-targets-retail/

Lyrie.ai Cyber Research Division — Senior Analyst Desk