BlackFile widens voice phishing pressure

Retail and hospitality companies are facing a widening extortion campaign by BlackFile, a financially motivated hacking group using voice calls, fake helpdesk scripts and spoofed caller identities to steal credentials and force ransom negotiations.

The group has been linked to attacks that began surfacing in January 2026, with sustained targeting of customer-facing businesses from February. Its activity has been tracked under several names, including CL-CRI-1116, UNC6671 and Cordial Spider, reflecting overlaps seen by different cyber-intelligence teams. Investigators assess with moderate confidence that the operators are connected to The Com, a loose English-speaking cybercrime ecosystem associated with social engineering, extortion and harassment tactics.

BlackFile’s method marks a shift away from malware-heavy intrusions towards identity abuse. Attackers typically call employees while posing as corporate IT support, using spoofed Voice over Internet Protocol numbers or fraudulent caller-name records to appear legitimate. Targets are directed to phishing pages designed to resemble company single sign-on portals, where credentials and time-based one-time passwords are captured.

Once inside an account, the attackers attempt to register their own devices to bypass multi-factor authentication controls. They then move towards higher-value accounts by scraping internal directories for executives and senior staff. Compromising those accounts gives the group broader access while allowing malicious activity to blend into normal corporate sessions.

Data theft has centred on cloud and software-as-a-service platforms rather than traditional file servers. Attackers have abused Microsoft Graph permissions, SharePoint download functions and Salesforce search or export features to locate sensitive business material. Files containing terms such as “confidential” and “SSN” have been prioritised, along with employee phone lists, business reports and large CSV datasets.

The stolen information is then moved to attacker-controlled infrastructure through browser downloads, API exports or file-sharing services. BlackFile has also maintained a data-leak site to publish stolen material from organisations that do not engage or fail to meet its demands. Ransom demands have typically reached seven figures, with pressure applied through compromised employee emails or newly created Gmail accounts.

Retail and hospitality operators are especially exposed because their staff are accustomed to high volumes of customer and internal calls, often across distributed locations, outsourced support teams and shift-based workforces. Hotels, restaurants, retailers and travel-linked businesses also hold rich stores of personal data, loyalty records, payment-adjacent information, supplier contracts and employee contact details.

The group’s intimidation tactics have gone beyond data publication. Company personnel, including senior executives, have been targeted through swatting attempts, where false emergency reports are made to law enforcement to create fear and force payment. That technique adds a physical-risk dimension to what began as credential theft.

BlackFile’s emergence comes amid a broader surge in phone-based social engineering against enterprises. Several cybercrime groups have adopted similar playbooks, exploiting the gap between technical authentication controls and human trust in internal support processes. Fake helpdesk calls, device enrolment abuse and cloud data scraping have become effective because many organisations still treat voice calls as low-risk internal interactions.

The campaign also shows how attackers are exploiting legitimate tools and permissions. By operating through real logins, valid session tokens and standard application programming interfaces, they reduce the chance of detection by controls tuned to block malware, suspicious binaries or known command-and-control traffic. That makes behavioural monitoring and identity governance more important than conventional perimeter defence.

Security teams are being urged to restrict what IT support can complete during a single phone call, especially password resets, device enrolment and MFA changes. Stronger caller verification, callback procedures using known internal numbers, escalation for sensitive account actions and training for frontline employees are now central controls.

VoIP log analysis, tighter MFA configuration, monitoring of unusual Microsoft Graph and Salesforce activity, and alerts for bulk SharePoint downloads can help detect intrusion attempts. Organisations are also reviewing executive account protections, limiting broad API permissions and rehearsing response plans for extortion attempts that include harassment of staff.

BlackFile’s rise underscores a practical vulnerability across service industries: attackers no longer need to break into networks when they can persuade employees to open the door. The next test for retailers and hospitality groups is whether security processes can be redesigned for a threat model in which a convincing phone call is enough to trigger a multimillion-dollar breach.