O-UNC-066 Vishing Campaign Abuses Microsoft Entra Passkey Enrollment
- Threat actor: Okta tracks the group as O-UNC-066, also known as "Pink" by Palo Alto Networks Unit 42, behind the campaign.
- Attack vector: Vishing lures Microsoft 365 users into approving attacker-controlled Microsoft Entra passkey enrollment.
- Extortion motive: The group launched a data leak site on May 31, 2026, to pressure compromised organizations.
A vishing campaign abuses Microsoft Entra passkey enrollment to hijack accounts, according to a report published this week by Okta Threat Intelligence. Okta observed targeting across food and beverage, technology, healthcare, automotive, construction, and aviation organizations.
The activity, tracked as O-UNC-066 and known as Pink by Palo Alto Networks Unit 42, has been running since April 2026, with data extortion as its core motive.
O-UNC-066 Weaponizes Passkey Enrollment
The threat actor calls targeted users and convinces them they must register a new passkey, according to the Okta report. Victims are redirected to a phishing page that mimics the Microsoft passkey enrollment flow while the operator quietly registers their own passkey in the victim's Microsoft 365 account.
The pretext is well-timed: as of May 2026, Microsoft administrators have been able to launch passkey registration "nudge" campaigns that prompt users to enroll at sign-in. In some configurations, these nudges are enabled by default, giving the vishing pretext a legitimate-looking backdrop.
The report notes that the kit does not attempt to federate with third-party identity providers such as Okta, and it has not directly observed a Microsoft account compromise through its own visibility.
Operator-Controlled PHP Phishing Panel
The kit is an operator-controlled PHP panel that steers victims through authentication in near real time using a one-second heartbeat polling mechanism. This lets the caller adapt to each victim's MFA requirements, whether TOTP, push with number matching, or SMS OTP.
Passkey-themed pages, including a decoy BIP-39 seed phrase step, distract users while the attacker enrolls their passkey directly with Microsoft Entra ID. Okta says the technique aligns with vishing tradecraft, which it documented in 2025.
Infrastructure and Extortion Operations
The campaign registered per-target subdomains between April and June 2026 under infrastructure hosted on DDoS-Guard (AS57724, Russia) and IQWeb FZ-LLC (AS59692, US). The actors published a data leak site on May 31, 2026, to extort compromised entities publicly.
- deploypasskey.com: April 21 (Tucows, DDoS-Guard);
- passkeydeploy.com: April 23 (Internet Domain Service BS Corp, DDoS-Guard);
- passkeyadd.com: May 8 (Tucows, DDoS-Guard);
- setpasskey.com: May 23 (IQWeb FZ-LLC);
- assignpasskey.com: June 14 (Internet Domain Service BS Corp., DDoS-Guard);
Okta recommends enrolling users in phishing-resistant authenticators such as Okta FastPass, passkeys, or smart cards, and establishing verified methods for confirming the identity of helpdesk personnel who contact users by phone.
In other recent news, Kaspersky reported that device code phishing abuses Microsoft OAuth 2.0 to steal tokens.
The EvilTokens phishing-as-a-service (PhaaS) platform, built to compromise Microsoft 365 accounts by abusing the OAuth 2.0 device authorization grant flow, hit over 340 organizations by March 2026.
A May warning about Kali365, a kit built on the same device code abuse, mentioned its expansion to target Microsoft, Okta, DocuShare, AWS, and MAX Messenger.








