Back to Articles
high

HIGH: Pink Crew Hijacks Microsoft 365 Accounts With Fake Entra Passkey Enrollment Calls

A financially motivated group tracked as O-UNC-066 (Pink) is vishing Microsoft 365 users into a fake Entra passkey enrollment flow, using an operator-controlled PHP panel to relay MFA in real time and register attacker-owned passkeys for persistent account takeover before looting SharePoint and OneDrive.

By Danny Mercer, CISSP — Lead Security Analyst Jul 10, 2026
Is your business exposed? Our McKinney-based security team can assess your risk for free.
Share:

Pour one out for the humble help desk call, because attackers just turned it into a passkey heist. A financially motivated crew is dialing up Microsoft 365 users, pretending to be corporate IT, and walking them through a slick fake enrollment process that ends with the attacker holding a phishing-resistant passkey to the victim's account. The bitter irony here is hard to miss. Passkeys were supposed to be the thing that finally killed credential phishing, and now they are the prize at the end of a phishing call.

Researchers at Okta have been tracking the campaign as O-UNC-066, while Palo Alto Networks Unit 42 files the same activity under CL-CRI-1147. In plainer language, the group brands itself "Pink," runs a data extortion leak site that went live at the end of May 2026, and hangs its hat inside the sprawling cybercriminal collective known as The Com. The operation has been active since April 2026, and it is not a proof of concept or a researcher curiosity. It is a working money machine that has already burned through organizations in food and beverage, technology, healthcare, automotive, construction, and aviation.

What makes this one worth your attention is not some exotic zero-day. There is no CVE to patch here, no CVSS score to quote, and that is precisely the point. This attack abuses a legitimate Microsoft feature and ordinary human trust. In May 2026 Microsoft began nudging users to register passkeys, part of the broader industry push to move everyone off passwords and toward hardware-backed authentication. That well-intentioned campaign handed attackers the perfect pretext. When someone from "IT" calls and says the company is rolling out passkeys and needs you to enroll yours right now, the request lines up perfectly with the real prompts Microsoft has been showing you for weeks. The lie fits neatly inside the truth, which is what good social engineering always does.

The mechanics deserve a walk-through because they are more clever than the usual credential grab. It starts with a voice call, the technique the industry insists on calling vishing. The caller has done homework, pulling names and roles from LinkedIn, public company directories, and old breach dumps, and often references a recent support ticket or an urgent security incident to manufacture pressure. The victim is then directed to a website that looks like a Microsoft Entra passkey enrollment page. The attackers registered a whole stable of domains built around the word "passkey" to sell the illusion, including deploypasskey dot com from April, passkeyadd dot com and setpasskey dot com from May, and assignpasskey dot com from June. Each target got its own subdomain in a format like exampleentity dot setpasskey dot com, so the URL flashing by on the phone looked tailored and plausible. The infrastructure was parked behind DDoS-Guard in Russia and IQWeb in the United States, the kind of bulletproof-adjacent hosting that shrugs off takedown requests.

Behind that pretty front end sits the interesting part. Rather than lean on the transparent reverse-proxy kits that have dominated adversary-in-the-middle phishing for the last few years, Pink built an operator-controlled PHP panel. A human attacker sits at a console and steers each victim through the login flow in close to real time, using a one-second heartbeat that polls for the next move. That live control is what lets the kit defeat multifactor authentication no matter which flavor the victim uses. If the account is protected by a time-based one-time code, the panel collects it at one endpoint. If it uses SMS codes, another endpoint scoops those up. If it relies on push notifications with number matching, the operator relays the matching number so the victim taps approve on a prompt they believe they triggered themselves. The kit even runs anti-analysis checks at a gate stage before it bothers asking for a username and password, which keeps automated scanners and curious researchers from mapping the whole flow.

Now the twist. While the victim is being shepherded through a fake enrollment ceremony, complete with a BIP-39 recovery phrase that the site tells them to write down and confirm, the attacker is quietly logged into the real account using the freshly stolen credentials and MFA response. That recovery phrase is pure theater. Genuine Microsoft Entra passkey enrollment does not involve seed phrases at all, that concept is borrowed straight from cryptocurrency wallets, but almost nobody has actually enrolled a passkey before, so the unfamiliar ritual does not raise alarms. It looks official, it feels technical, and it keeps the victim busy. Meanwhile the operator registers their own passkey against the victim's account inside Microsoft. When the call ends, the attacker no longer needs the password or the phone. They hold a phishing-resistant credential of their own, sitting inside the tenant, surviving password resets and looking every bit as legitimate as the real user's authenticator.

Once inside, Pink does not linger to admire the view. Investigators have watched the group move fast to pull data out of SharePoint and OneDrive, which then feeds the extortion site. This is a smash-and-grab dressed up as an identity upgrade. One saving grace worth noting is that the kit did not handle federation to third-party identity providers, so organizations that route Microsoft 365 authentication through an external identity provider like Okta were shielded from direct account takeover through this particular flow. That is a narrow silver lining, not a strategy.

So what do you actually do about it. Start by accepting that your password policy and your basic MFA are no longer the finish line. The whole campaign works because push-approval and one-time codes can be relayed by a patient human on the other end of a phone. The durable fix is phishing-resistant authentication that cannot be handed over verbally, meaning device-bound passkeys, FIDO2 security keys, Windows Hello for Business, or smart cards, enforced through Conditional Access so that weaker methods simply do not get a victim to the finish line. Just as important, lock down who is allowed to enroll or modify authenticators in the first place. Microsoft Entra lets you constrain authentication method registration by network location and device state, so require that new passkeys and authenticators only get registered from managed, compliant devices sitting on trusted networks rather than from a random residential address in the middle of a phone call. Turn on notifications for every authenticator lifecycle event so that when a new passkey lands on an account, the real user and the security team both hear about it immediately.

The help desk itself needs hardening too, because that is the trust relationship being exploited. If your IT team can reset MFA or approve enrollment based on a friendly voice and a plausible story, so can Pink. Stronger caller verification, callbacks to known numbers, and refusing enrollment requests from unexpected geographies or service locations all raise the cost of the con. On the detection side, hunt for passkey and authenticator registrations that happen shortly after an interactive sign-in from an unusual location, watch for new FIDO2 credentials appearing on accounts that never used them before, and alert on bulk SharePoint or OneDrive downloads that follow a fresh authenticator enrollment. Those three signals stitched together tell the story of this attack in the audit log.

For managed service providers, this campaign is a gift-wrapped conversation starter with every Microsoft 365 customer on the books. Most small and midsize clients enabled MFA years ago, checked the box, and assumed they were done, so a real-world attack that eats push notifications and text codes for breakfast is exactly the wake-up call that justifies a move to phishing-resistant authentication and a Conditional Access hardening project. There is recurring revenue in rolling out FIDO2 keys, tightening authenticator registration policies, and standing up identity threat detection, and there is a natural upsell in help desk security training and vishing-aware tabletop exercises. Position it as protecting the passkey rollout your clients are already being told to do, and you are selling a solution to a headline instead of a hypothetical.

References

Concerned about this threat?

Our security team can assess your exposure and recommend immediate actions.

Get a Free Assessment →