O-UNC-066 Vishing Campaign Abuses Microsoft Entra Passkey Enrollment

Published
Written by:
Lore Apostol
Lore Apostol
Cybersecurity Writer
Key Takeaways
  • Threat actor: Okta tracks the group as O-UNC-066, also known as "Pink" by Palo Alto Networks Unit 42, behind the campaign.
  • Attack vector: Vishing lures Microsoft 365 users into approving attacker-controlled Microsoft Entra passkey enrollment.
  • Extortion motive: The group launched a data leak site on May 31, 2026, to pressure compromised organizations.

A vishing campaign abuses Microsoft Entra passkey enrollment to hijack accounts, according to a report published this week by Okta Threat Intelligence. Okta observed targeting across food and beverage, technology, healthcare, automotive, construction, and aviation organizations. 

The activity, tracked as O-UNC-066 and known as Pink by Palo Alto Networks Unit 42, has been running since April 2026, with data extortion as its core motive.

O-UNC-066 Weaponizes Passkey Enrollment

The threat actor calls targeted users and convinces them they must register a new passkey, according to the Okta report. Victims are redirected to a phishing page that mimics the Microsoft passkey enrollment flow while the operator quietly registers their own passkey in the victim's Microsoft 365 account. 

The O-UNC-066 Microsoft sign-in page, regenerated using code extracted from the phishing kit | Source: Okta
The O-UNC-066 Microsoft sign-in page, regenerated using code extracted from the phishing kit | Source: Okta

The pretext is well-timed: as of May 2026, Microsoft administrators have been able to launch passkey registration "nudge" campaigns that prompt users to enroll at sign-in. In some configurations, these nudges are enabled by default, giving the vishing pretext a legitimate-looking backdrop. 

The O-UNC-066 passkey registration page, regenerated using code extracted from the phishing kit | Source: Okta
The O-UNC-066 passkey registration page, regenerated using code extracted from the phishing kit | Source: Okta

The report notes that the kit does not attempt to federate with third-party identity providers such as Okta, and it has not directly observed a Microsoft account compromise through its own visibility.

Operator-Controlled PHP Phishing Panel

The kit is an operator-controlled PHP panel that steers victims through authentication in near real time using a one-second heartbeat polling mechanism. This lets the caller adapt to each victim's MFA requirements, whether TOTP, push with number matching, or SMS OTP. 

The optional O-UNC-066 passkey page, using code extracted from the phishing kit | Source: Okta
The optional O-UNC-066 passkey page, using code extracted from the phishing kit | Source: Okta

Passkey-themed pages, including a decoy BIP-39 seed phrase step, distract users while the attacker enrolls their passkey directly with Microsoft Entra ID. Okta says the technique aligns with vishing tradecraft, which it documented in 2025.

Infrastructure and Extortion Operations

The campaign registered per-target subdomains between April and June 2026 under infrastructure hosted on DDoS-Guard (AS57724, Russia) and IQWeb FZ-LLC (AS59692, US). The actors published a data leak site on May 31, 2026, to extort compromised entities publicly.

Okta recommends enrolling users in phishing-resistant authenticators such as Okta FastPass, passkeys, or smart cards, and establishing verified methods for confirming the identity of helpdesk personnel who contact users by phone.

In other recent news, Kaspersky reported that device code phishing abuses Microsoft OAuth 2.0 to steal tokens. 

The EvilTokens phishing-as-a-service (PhaaS) platform, built to compromise Microsoft 365 accounts by abusing the OAuth 2.0 device authorization grant flow, hit over 340 organizations by March 2026. 

A May warning about Kali365, a kit built on the same device code abuse, mentioned its expansion to target Microsoft, Okta, DocuShare, AWS, and MAX Messenger. 


For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: