
A threat actor has been targeting organizations across multiple sectors with voice-based fake security requests that ask Microsoft 365 users to enroll a new Entra passkey.
The attacker is taking advantage of a new capability Microsoft opened to administrators in May, allowing them to run “passkey registration campaigns” to entice users to enrol passkeys for more secure authentication.
The campaign has been running since April and involves calling targeted users and trying to convince them to register a new passkey under the attacker’s control.
To mask the deception, the hacker directs victims to a phishing kit that imitates the legitimate Microsoft passkey enrollment process.
Cloud-based identity and access management (IAM) company Okta attributes the activity to an actor it tracks as O-UNC-066, which operates an extortion operation known as Pink.
Okta says that O-UNC-066 has been targeting users at organizations in the food and beverage, technology, healthcare, automotive, construction, and aviation industries.
The security upgrade ruse
During the campaign, targeted employees are contacted by phone under the pretext that they must enroll a new Microsoft Entra passkey for security reasons and are directed to phishing URLs that contain the word “passkey” in the domain name.
The malicious websites include the victim organization’s branding and mimic the real Entra passkey enrollment portal.
Unlike the more common adversary-in-the-middle (AiTM) proxy, the kit is an operator-controlled PHP panel in which the attacker guides the victim through the phishing process in real time, adapting the flow based on the multi-factor authentication (MFA) method used.
“[The phishing kit] is an operator-controlled PHP panel in which a threat actor steers victims through various stages of authentication in close to real-time using a 1-second heartbeat polling mechanism,” explains Okta.
“The operator can use the kit to adapt the user experience to each victim’s MFA requirements (TOTP, push notification with number matching, SMS OTP) during the session.”
Credentials and MFA responses entered by the victim in the kit’s screens are relayed to the operator, who uses them to authenticate to the victim’s Microsoft account.

Source: Okta
While the victim believes they are registering a new passkey on their accounts, the attacker is actually registering a passkey they control.
After gaining access, the phishing site presents the victim with fake Microsoft-branded passkey registration pages, prompting them to save a fake BIP-39 recovery phrase and confirm one word from it.

Source: Okta
Okta notes that BIP-39 seed phrases don’t have any role in legitimate Microsoft Entra passkey enrollment, but could serve as a distraction for users who are unfamiliar with the process.
Pink extortion gang
According to Palo Alto Networks Unit 42, Pink is a new extortion brand affiliated with the decentralized threat network known as The Com (short for The Community).
The threat actor is known for using vishing (voice phishing) and IT impersonation to collect credentials and multi-factor authentication (MFA) codes, which are used in attacks that steal company data.
The Pink threat group launched an extortion site on May 31, where they publish samples of the stolen data to pressure compromised victims into paying a ransom.

Source: Okta
Researchers say that after gaining access to a victim’s account, Pink moves quickly to exfiltrate data from SharePoint and OneDrive services.
Brad Duncan, Principal Threat Researcher at Palo Alto Networks Unit 42, noted in early June that some of the phishing domains used by Pink included the word “passkey.”
Okta recommends that organizations establish methods to better verify the identity of helpdesk personnel when contacting users, as well as deny requests from locations where the company does not offer services.
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.


