Date: 06/04/2026
Severity: High
Summary
The threat actor gains initial access through vishing attacks, impersonating internal IT staff to trick victims into entering their credentials and MFA codes on phishing pages. Once access is obtained, the actor quickly identifies and exfiltrates sensitive data from cloud services such as SharePoint and OneDrive, a tactic commonly observed among Com-affiliated groups. The compromised account is then used to send extortion emails and internal Microsoft Teams messages to further pressure the organization. The campaign also demonstrates infrastructure reuse, with the actor leveraging common second-level domains across multiple targets while customizing third-level subdomains to match the targeted organization, often hosting these phishing domains through DDoS-Guard.
Indicators of Compromise (IOC) List
Domain : | passkeyadd.com passkeydeploy.com deploypasskey.com |
IP Address: | 185.178.208.153 172.93.100.252 96.232.20.66 |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "passkeyadd.com" or url like "passkeyadd.com" or siteurl like "passkeyadd.com" or domainname like "passkeydeploy.com" or url like "passkeydeploy.com" or siteurl like "passkeydeploy.com" or domainname like "deploypasskey.com" or url like "deploypasskey.com" or siteurl like "deploypasskey.com" |
Detection Query 2 : | dstipaddress IN ("185.178.208.153","172.93.100.252","96.232.20.66") or srcipaddress IN ("185.178.208.153","172.93.100.252","96.232.20.66") |
Reference:
https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2026-06-03-Pink-Extortion-Brand-Activity.txt