Pink Vishing Campaign Hijacks Entra Passkeys to Steal M365 Accounts
Threat actor O-UNC-066 runs voice phishing campaign tricking Microsoft 365 users into enrolling attacker-controlled Entra passkeys. Real-time MFA bypass enables full account takeover.
A threat actor tracked as O-UNC-066 has been running voice phishing attacks against Microsoft 365 users since April, convincing employees to enroll Entra passkeys that attackers control. The campaign abuses Microsoft's legitimate passkey enrollment feature, and Okta's threat intelligence team attributes the activity to an extortion operation branded "Pink."
Once attackers register their own passkey on a victim's account, they have persistent access that survives password resets.
How the Attack Works
The attack begins with a phone call. Victims receive calls from someone claiming to be IT security, informing them they must enroll a new Microsoft Entra passkey for security compliance. The caller directs them to a phishing URL containing "passkey" in the domain name.
What victims see looks like the legitimate Microsoft passkey enrollment process. But it's an operator-controlled PHP panel that the attacker manipulates in real-time. The panel polls every second, allowing the operator to adapt the flow based on whatever MFA method the victim uses—TOTP codes, push notifications with number matching, or SMS OTPs.
Every credential and MFA response entered by the victim gets relayed to the attacker, who simultaneously authenticates to the real Microsoft account. The operator then completes the passkey enrollment on their own device. The victim thinks they've secured their account. They've actually given the attacker persistent access.
This approach defeats MFA entirely because the attacker isn't just capturing credentials—they're using them in real-time before session tokens expire.
Who's Being Targeted
Okta reports that O-UNC-066 has targeted organizations across food and beverage, technology, healthcare, automotive, construction, and aviation sectors. The breadth suggests opportunistic targeting rather than sector-specific focus.
The Pink extortion site launched May 31, 2026. While attribution remains ongoing, Okta notes connections to "The Com," a decentralized threat network that has produced multiple SIM-swapping and social engineering operations. The EvilTokens device code phishing surge we covered yesterday shows a similar pattern of attackers finding creative ways around MFA.
Exploiting a Legitimate Feature
Microsoft opened passkey registration campaigns to administrators in May, allowing them to prompt users to enroll passkeys for stronger authentication. O-UNC-066 is weaponizing that legitimate workflow.
One tell that should alert victims: the phishing kit presents a fake BIP-39 recovery phrase prompt. Microsoft's actual passkey enrollment process does not request seed phrases. Anyone asked to enter a 12 or 24-word recovery phrase during Microsoft authentication is being phished.
The attack also highlights a gap in employee training. Most security awareness programs cover email phishing and credential harvesting. Fewer prepare employees for phone-based attacks where a caller claims to be from IT and provides a legitimate-looking URL.
Defensive Recommendations
- Establish verbal verification procedures for any IT request involving credential changes or authentication enrollment—ideally a callback to a known IT number
- Configure conditional access policies to deny authentication requests from unexpected geographic regions
- Monitor passkey enrollment events in Entra ID audit logs for unusual registration patterns
- Train helpdesk staff to recognize and report suspected vishing attempts
- Review newly enrolled passkeys across your tenant for any devices that don't match known employee hardware
For organizations evaluating passkey adoption, this campaign doesn't diminish the security value of passkeys—phishing-resistant authentication remains stronger than passwords and TOTP. But enrollment processes need protection. Consider requiring in-person verification or device attestation before allowing new passkey registration.
The Pink operation demonstrates that attackers will adapt to new security features faster than most defenders anticipate. For more background on social engineering techniques, see our guide.
Related Articles
81M Login Attempts: Massive Azure CLI Password Spray Campaign
Attackers exploited deprecated OAuth ROPC flow to bypass MFA, compromising 78 accounts across 64 organizations. Attack originated from Hong Kong and China infrastructure.
Jul 2, 2026Silent Ransom Gang Sends Fake IT Staff Into Law Firm Offices
Mandiant tracks UNC3753 hitting dozens of law firms via vishing and physical intrusions. Data theft to extortion in under one hour. FBI issues flash alert.
Jun 9, 2026FBI: Extortion Gang Walks Into Law Firms Posing as IT Staff
Silent Ransom Group escalates from vishing to physical infiltration. FBI FLASH alert warns 38+ law firms already breached, with operatives plugging USB drives into office computers.
May 28, 2026FBI Warns Kali365 PhaaS Steals Microsoft 365 Tokens at Scale
New phishing-as-a-service platform bypasses MFA via OAuth device code flow. FBI PSA details how Kali365's AI-generated lures and $250/month pricing are enabling widespread credential theft.
May 24, 2026