The BlackFile campaign involves financially motivated attackers from the CL-CRI-1116 cluster using voice phishing combined with credential harvesting through fake login pages. They impersonate IT support to steal credentials and bypass MFA protections. The attackers employ Living Off the Land techniques by abusing legitimate APIs such as Microsoft Graph to access SharePoint and Salesforce data within SaaS environments. They search for confidential and employee information, exfiltrating it via browser downloads or API exports. Extortion is enforced through ransom demands sent via Gmail and compromised accounts, with some cases involving SWATting of executives to increase pressure. This campaign does not exploit a software vulnerability but relies on social engineering and abuse of legitimate cloud service APIs.

The impact includes theft of sensitive corporate and employee data from SaaS platforms, leading to potential financial loss and reputational damage. Victims face extortion demands reaching seven-figure sums. The attackers' ability to bypass multi-factor authentication and abuse legitimate APIs increases the difficulty of detection and mitigation. Additionally, the use of SWATting tactics poses physical safety risks to targeted executives.

There is no software patch available as this threat is based on social engineering and abuse of legitimate APIs. Organizations should focus on user awareness training to recognize vishing and phishing attempts, enforce strong authentication policies including phishing-resistant MFA methods, monitor for suspicious API activity, and implement strict access controls on SaaS platforms. Incident response plans should include procedures for handling extortion demands and potential SWATting threats. Review and restrict permissions for API access to minimize data exposure.