Pink Hacking Group Targets Enterprise Cloud Credentials

A newly identified threat actor dubbed “Pink” has emerged with a focused campaign targeting enterprise users to steal cloud storage credentials. The group employs sophisticated phishing techniques, credential harvesting infrastructure, and evasion tactics to compromise corporate accounts across major cloud platforms including Microsoft 365, Google Workspace, and Dropbox. Organizations should immediately review authentication logs, enforce MFA, and educate users on recognizing advanced phishing attempts.

Introduction

Cybersecurity researchers have identified a new threat actor operating under the moniker “Pink,” conducting targeted campaigns against enterprise users to steal cloud storage credentials. Unlike opportunistic phishing operations, Pink demonstrates advanced operational security, customized social engineering tactics, and infrastructure designed specifically to evade detection by enterprise security solutions.

The campaign represents an evolution in credential theft operations, with attackers demonstrating deep understanding of corporate workflows, cloud authentication mechanisms, and security product blind spots. Initial victim telemetry suggests the group has successfully compromised hundreds of enterprise accounts across multiple sectors, with particular focus on organizations in technology, finance, and professional services.

This emerging threat highlights the persistent challenge of securing cloud environments where a single compromised credential can provide attackers with access to sensitive corporate data, intellectual property, and potentially pivot points into broader network infrastructure.

Background & Context

Cloud credential theft has become increasingly lucrative as organizations migrate critical data and operations to cloud platforms. According to recent industry reports, over 95% of enterprises now use cloud services for core business functions, making cloud credentials among the most valuable targets for threat actors.

The Pink group appears to have emerged in late 2023, though some infrastructure analysis suggests preparation began months earlier. Unlike ransomware groups or advanced persistent threats (APTs) with political motivations, Pink’s objectives appear primarily financial—selling stolen credentials on underground markets or using them for business email compromise (BEC) operations.

What distinguishes Pink from commodity phishing operations is their investment in infrastructure and tradecraft. The group operates multiple phishing kits specifically tailored for different cloud platforms, employs reverse proxy techniques to bypass multi-factor authentication in real-time, and demonstrates operational discipline in target selection and attack timing.

Previous credential harvesting campaigns typically relied on generic templates and mass distribution. Pink’s approach involves reconnaissance, personalized lures referencing legitimate business contexts, and timing attacks to coincide with typical business hours when users are more likely to engage without scrutiny.

Technical Breakdown

Pink’s attack chain follows a multi-stage process designed to maximize success while minimizing detection:

Initial Access

Attacks begin with spear-phishing emails crafted to appear as legitimate communications from cloud service providers or internal IT departments. Messages typically reference urgent security updates, shared document notifications, or expiring access warnings that require immediate action.

The emails contain links to attacker-controlled domains using typosquatting techniques and legitimate-looking subdomain structures:

https://login-verification.microsoft-services[.]com
https://accounts.google-workspace[.]net  
https://secure-dropbox[.]business

Credential Harvesting Infrastructure

Pink employs reverse proxy phishing kits, specifically modified versions of tools like Evilginx2 and Modlishka. These frameworks intercept authentication sessions in real-time, capturing credentials and session cookies while presenting users with legitimate login pages proxied from actual cloud services.

The infrastructure includes:

User → Phishing Domain → Reverse Proxy → Legitimate Cloud Service
                ↓
         Credential Capture
         Session Cookie Theft
         MFA Token Interception

This technique defeats traditional MFA because the proxy captures valid session tokens during legitimate authentication, allowing attackers to replay sessions without requiring additional authentication factors.

Evasion Techniques

Pink demonstrates several sophisticated evasion capabilities:

• Geofencing: Phishing pages only display to IP addresses matching target organization ranges, returning 404 errors to security researchers and sandboxes
• User-Agent Filtering: Blocking known security tools and automated scanners
• Time-Limited Links: Phishing URLs expire after short periods or single use
• HTTPS with Valid Certificates: Using Let’s Encrypt certificates for legitimate-appearing connections
• Anti-Analysis JavaScript: Code that detects browser automation and developer tool usage

Post-Compromise Activity

After successful credential capture, Pink actors typically:

• Access victim accounts within minutes to prevent MFA re-authentication
• Download cloud storage contents, focusing on documents containing financial data, credentials, or intellectual property
• Configure email forwarding rules to maintain persistent access to communications
• Search for additional credentials in stored documents
• Clear access logs where possible or use legitimate session patterns to blend with normal activity

Impact & Risk Assessment

The Pink campaign poses significant risks across multiple dimensions:

Data Breach Exposure

Compromised cloud storage accounts provide direct access to sensitive corporate data. Analysis of targeted organizations suggests average potential exposure includes:

• 10,000+ documents per compromised account
• Customer databases and PII
• Financial records and planning documents
• Intellectual property and trade secrets
• Internal credentials and API keys

Business Email Compromise

Stolen email credentials enable BEC attacks where actors impersonate executives or vendors to authorize fraudulent transactions. Industry data shows average BEC losses exceed $120,000 per incident.

Supply Chain Risk

Compromised accounts at service providers or vendors create supply chain attack opportunities, potentially affecting downstream customers and partners.

Regulatory Consequences

Data breaches resulting from compromised credentials trigger notification requirements under GDPR, CCPA, and sector-specific regulations, with potential fines ranging from thousands to millions of dollars depending on jurisdiction and scope.

Reputational Damage

Customer trust erosion following credential-based breaches can result in lost business, particularly for professional services firms where data security is a core value proposition.

Vendor Response

Major cloud service providers have implemented various countermeasures:

Microsoft has enhanced Azure AD Identity Protection with improved anomalous authentication detection and is rolling out certificate-based authentication options that resist proxy-based attacks.

Google has updated Workspace security with context-aware access controls and improved suspicious login detection, including analysis of TLS fingerprints to identify reverse proxy connections.

Dropbox has implemented device verification requirements and enhanced alert mechanisms for unusual access patterns.

However, these provider-side controls require active configuration and don’t prevent all attack vectors. The shared responsibility model means organizations must implement complementary controls.

Several security vendors have released indicators of compromise (IOCs) related to Pink infrastructure, and threat intelligence platforms now include Pink-specific detection signatures.

Mitigations & Workarounds

Organizations should implement layered defenses against credential phishing:

Authentication Hardening

Deploy phishing-resistant authentication methods:

# Enable FIDO2 security keys for Azure AD
# PowerShell example
Set-MsolUser -UserPrincipalName user@domain.com -StrongAuthenticationMethods @(
    @{MethodType="FIDO2"}
)

Conditional Access Policies

Implement context-based authentication requirements:

• Require compliant devices for cloud access
• Block access from anonymizing proxies and VPNs
• Enforce re-authentication for sensitive operations
• Restrict access based on impossible travel scenarios

Email Security Controls

Deploy advanced email filtering:

• DMARC enforcement to prevent domain spoofing
• Link protection with time-of-click URL inspection
• Banner warnings for external emails
• Attachment sandboxing for suspicious files

Detection & Monitoring

Implement monitoring for indicators of Pink compromise:

Authentication Log Analysis

Monitor for suspicious patterns:

- Multiple failed login attempts followed by success
Successful authentication from unusual geolocations
User-Agent strings associated with proxy tools
Session cookies used without password authentication
Rapid authentication followed by bulk data access

Cloud Access Anomaly Detection

Configure alerts for:

triggers:
  - bulk_download: >500MB in single session
  - new_email_rule: forwarding to external domain
  - api_access: new application permissions granted
  - geographic_anomaly: access from new country
  - permission_change: sharing settings modified

Network-Level Detection

Monitor DNS and proxy logs for Pink infrastructure indicators:

# Example detection rule
alert dns any any -> any 53 (
  msg:"Possible Pink phishing domain";
  dns_query; content:"microsoft-services";
  pcre:"/microsoft-.*\.(com|net|org)$/";
  reference:url,cydhaal.com/pink-iocs;
)

Best Practices

Implement comprehensive credential protection:

User Education: Conduct regular phishing simulation exercises specifically targeting cloud credential scenarios. Train users to verify URL legitimacy before authentication and report suspicious requests.

Hardware Security Keys: Deploy FIDO2-compliant hardware tokens for administrative and high-value accounts. These cryptographic authenticators cannot be phished through reverse proxy attacks.

Privileged Access Management: Implement just-in-time access for administrative functions, requiring approval workflows and time-limited elevation rather than persistent privileged credentials.

Zero Trust Architecture: Adopt continuous verification models that validate every access request regardless of origin, reducing the impact of compromised credentials.

Incident Response Planning: Develop and test runbooks specifically for cloud credential compromise scenarios, including credential rotation procedures and forensic data collection methods.

Key Takeaways

• Pink represents an evolution in credential theft operations with sophisticated infrastructure and targeting
• Reverse proxy techniques defeat traditional MFA, requiring phishing-resistant authentication methods
• Organizations must implement layered defenses including technical controls, monitoring, and user education
• Cloud service providers offer enhanced security features that require active configuration
• Rapid detection and response are critical as attackers move quickly after credential capture
• Hardware security keys and certificate-based authentication provide strongest protection against these attacks

References

• Microsoft: Protecting against proxy-based phishing attacks
• Google Workspace: Advanced security settings documentation
• CISA: Implementing phishing-resistant multi-factor authentication
• MITRE ATT&CK: Technique T1566 (Phishing), T1539 (Steal Web Session Cookie)
• NIST SP 800-63B: Digital Identity Guidelines – Authentication and Lifecycle Management

Stay updated at https://cydhaal.com — Your Daily Dose of Cyber Intelligence.
📧 Subscribe to our newsletter at https://cydhaal.com/newsletter/