PROBABLYPWNED
Threat IntelligenceJuly 9, 20263 min read

Pink Vishing Campaign Hijacks Entra Passkeys to Steal M365 Accounts

Threat actor O-UNC-066 runs voice phishing campaign tricking Microsoft 365 users into enrolling attacker-controlled Entra passkeys. Real-time MFA bypass enables full account takeover.

Alex Kowalski

A threat actor tracked as O-UNC-066 has been running voice phishing attacks against Microsoft 365 users since April, convincing employees to enroll Entra passkeys that attackers control. The campaign abuses Microsoft's legitimate passkey enrollment feature, and Okta's threat intelligence team attributes the activity to an extortion operation branded "Pink."

Once attackers register their own passkey on a victim's account, they have persistent access that survives password resets.

How the Attack Works

The attack begins with a phone call. Victims receive calls from someone claiming to be IT security, informing them they must enroll a new Microsoft Entra passkey for security compliance. The caller directs them to a phishing URL containing "passkey" in the domain name.

What victims see looks like the legitimate Microsoft passkey enrollment process. But it's an operator-controlled PHP panel that the attacker manipulates in real-time. The panel polls every second, allowing the operator to adapt the flow based on whatever MFA method the victim uses—TOTP codes, push notifications with number matching, or SMS OTPs.

Every credential and MFA response entered by the victim gets relayed to the attacker, who simultaneously authenticates to the real Microsoft account. The operator then completes the passkey enrollment on their own device. The victim thinks they've secured their account. They've actually given the attacker persistent access.

This approach defeats MFA entirely because the attacker isn't just capturing credentials—they're using them in real-time before session tokens expire.

Who's Being Targeted

Okta reports that O-UNC-066 has targeted organizations across food and beverage, technology, healthcare, automotive, construction, and aviation sectors. The breadth suggests opportunistic targeting rather than sector-specific focus.

The Pink extortion site launched May 31, 2026. While attribution remains ongoing, Okta notes connections to "The Com," a decentralized threat network that has produced multiple SIM-swapping and social engineering operations. The EvilTokens device code phishing surge we covered yesterday shows a similar pattern of attackers finding creative ways around MFA.

Exploiting a Legitimate Feature

Microsoft opened passkey registration campaigns to administrators in May, allowing them to prompt users to enroll passkeys for stronger authentication. O-UNC-066 is weaponizing that legitimate workflow.

One tell that should alert victims: the phishing kit presents a fake BIP-39 recovery phrase prompt. Microsoft's actual passkey enrollment process does not request seed phrases. Anyone asked to enter a 12 or 24-word recovery phrase during Microsoft authentication is being phished.

The attack also highlights a gap in employee training. Most security awareness programs cover email phishing and credential harvesting. Fewer prepare employees for phone-based attacks where a caller claims to be from IT and provides a legitimate-looking URL.

Defensive Recommendations

  1. Establish verbal verification procedures for any IT request involving credential changes or authentication enrollment—ideally a callback to a known IT number
  2. Configure conditional access policies to deny authentication requests from unexpected geographic regions
  3. Monitor passkey enrollment events in Entra ID audit logs for unusual registration patterns
  4. Train helpdesk staff to recognize and report suspected vishing attempts
  5. Review newly enrolled passkeys across your tenant for any devices that don't match known employee hardware

For organizations evaluating passkey adoption, this campaign doesn't diminish the security value of passkeys—phishing-resistant authentication remains stronger than passwords and TOTP. But enrollment processes need protection. Consider requiring in-person verification or device attestation before allowing new passkey registration.

The Pink operation demonstrates that attackers will adapt to new security features faster than most defenders anticipate. For more background on social engineering techniques, see our guide.

Related Articles