Vishing Campaign Targets Microsoft 365 Users with Fake Entra Passkey Enrollments
A sophisticated vishing campaign, attributed to the threat actor **O-UNC-066** (also known as **Pink**), is actively targeting **Microsoft 365** users across various sectors. The attackers leverage social engineering to trick victims into enrolling a malicious **Entra** passkey, effectively granting the threat actors persistent access to corporate accounts.
Threat actors are exploiting a new **Microsoft** capability that allows administrators to initiate passkey registration campaigns. This campaign, which has been ongoing since April, involves phone calls to targeted employees, convincing them to register a new passkey under the attacker's control.
### The Deceptive Security Upgrade
During the vishing calls, employees are informed that they must enroll a new **Microsoft Entra** passkey for security reasons. They are then directed to phishing URLs that often include the word βpasskeyβ in the domain name. These malicious websites are meticulously designed to mimic the legitimate **Entra** passkey enrollment portal, often incorporating the victim organization's branding.
Unlike traditional adversary-in-the-middle (AiTM) proxies, this phishing kit is an operator-controlled PHP panel. The attacker actively guides the victim through the phishing process in real-time, adapting the flow based on the multi-factor authentication (MFA) method used.
**Okta** explains, βThe operator can use the kit to adapt the user experience to each victim's MFA requirements (TOTP, push notification with number matching, SMS OTP) during the session.β
Credentials and MFA responses entered by the victim are relayed to the operator, who then uses them to authenticate to the victimβs **Microsoft** account. While victims believe they are registering a legitimate passkey for their own accounts, the attacker is, in fact, registering a passkey they control.

After gaining initial access, the phishing site presents victims with fake **Microsoft**-branded passkey registration pages, prompting them to save a fabricated **BIP-39** recovery phrase and confirm one word from it.

**Okta** notes that **BIP-39** seed phrases have no role in legitimate **Microsoft Entra** passkey enrollment. Their inclusion serves as a distraction for users unfamiliar with the proper process.
### The Pink Extortion Gang
Cloud-based identity and access management (IAM) company **Okta** attributes this activity to **O-UNC-066**, an actor associated with the extortion operation known as **Pink**. **Palo Alto Networks Unit 42** identifies **Pink** as a new extortion brand linked to the decentralized threat network **The Com** (The Community).
**Pink** is known for employing vishing and IT impersonation to harvest credentials and MFA codes, which are then used to exfiltrate company data. The group launched an extortion site on May 31, where they publish samples of stolen data to pressure compromised victims into paying a ransom.

Researchers indicate that after gaining account access, **Pink** rapidly exfiltrates data from **SharePoint** and **OneDrive** services. Brad Duncan, Principal Threat Researcher at **Palo Alto Networks Unit 42**, observed in early June that some of the phishing domains used by **Pink** included the word βpasskey.β
**Okta** recommends that organizations implement robust methods to verify the identity of helpdesk personnel when contacting users. Additionally, denying requests from locations where the company does not operate can further mitigate risks.