Vishing Campaign Abuses Microsoft Entra Passkey Enrollment for Data Extortion
A sophisticated vishing campaign is targeting organizations across various sectors, tricking Microsoft 365 users into 'enrolling' attacker-controlled passkeys. This enables unauthorized access and facilitates data extortion. The threat actor, tracked as **O-UNC-066** by **Okta**, leverages a custom-built phishing kit that mimics the legitimate **Microsoft Entra** passkey registration process.
Threat actors are exploiting the growing adoption of passkeys to launch highly effective phishing attacks. **Okta** has identified a campaign, attributed to **O-UNC-066**, that uses voice-based social engineering to coerce **Microsoft 365** users into compromising their accounts.
### The Vishing Tactic
The attackers register domains containing the word "passkey" and then call targeted users. Posing as security personnel, they persuade victims that they need to register a new passkey for their **Microsoft** account. Industries affected include food and beverage, technology, healthcare, automotive, construction, and aviation.
Once a user is on the phone, they are directed to a convincing phishing kit that mirrors the legitimate **Microsoft** passkey enrollment interface. The deception leads users to believe they are adding a passkey to their own account, when in reality, the threat actor is registering *their* own passkey, granting them unauthorized access.

### Exploiting a Security Upgrade
This campaign coincides with **Microsoft** allowing administrators to configure registration campaigns to encourage passkey adoption. Threat actors are effectively weaponizing a security-enhancing initiative, transforming the passkey upgrade process into a lure for their malicious activities.
Unlike traditional adversary-in-the-middle (**AitM**) phishing pages that often steal credentials and **MFA** tokens, the kit used in these attacks is an operator-controlled **PHP** panel. This allows the attacker to guide the victim through the enrollment process in near real-time, adapting to the victim's **MFA** requirements (e.g., **TOTP**, push notifications with number matching, **SMS OTP**).
### The Attack Chain Unpacked
**Okta** detailed the sequence of actions within the phishing kit:
* **Initial Engagement:** The kit's first page displays a loading icon while performing anti-analysis checks.
* **Credential Harvesting:** Subsequent pages request the user's username and password. These harvested credentials are sent to an operator panel.
* **Real-time MFA Bypass:** An operator (likely distinct from the caller) uses the stolen credentials on the legitimate **Microsoft** sign-in page. The victim sees a 'processing' screen while the operator determines the **MFA** challenge. The kit then presents a tailored page (e.g., `/submit-otp`, `/submit-authenticator`, `/approve-authenticator`) to capture the **MFA** response.
* **Passkey Registration Deception:** Once the attacker gains access, the victim is redirected to a series of **Microsoft**-branded pages (`/passkey/register`, `/passkey`, `/passkey/check`, `/done`) that instruct them to create and verify a passkey. Crucially, the attackers are registering *their own* passkey to the victim's account during this phase.
* **Distraction Tactic:** The recovery key step, which involves a 12-word seed phrase similar to cryptocurrency wallets, is believed to be a distraction to keep the victim occupied while the attacker completes their malicious passkey registration.
**Okta** highlights that the phishing kit preys on users' unfamiliarity with the nuances of passkey authentication. While a real passkey registration would typically involve a system dialog, the phishing pages mimic this without actually registering a passkey on the user's device.
### Actor Attribution
**O-UNC-066** is linked to a threat actor operating a data leak site under the name **Pink** since April 2026. **Palo Alto Networks Unit 42** tracks this cluster as **CL-CRI-1147**, associating it with **The Com**, a decentralized cybercrime collective that includes groups like **Scattered Spider**, **ShinyHunters**, and **LAPSUS$**.