www.okta.com
Vishing Campaign Targets Microsoft 365 Passkey Enrollment Process
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
Since April 2026, a threat actor identified as O-UNC-066, also known as 'Pink', has been executing a vishing campaign aimed at Microsoft 365 users. The campaign exploits a new passkey enrollment feature introduced by Microsoft in May 2026, targeting organizations in various sectors, including food and beverage, technology, and healthcare. Attackers call users, convincing them to register a new passkey, while directing them to a phishing site that mimics the legitimate Microsoft enrollment process. The phishing kit is designed to collect user credentials and MFA responses in real-time, allowing the attacker to gain unauthorized access to victims' accounts. Okta has observed this activity but has not confirmed any direct compromises of Microsoft accounts. The phishing URLs used in the campaign contain the word 'passkey' and are tailored to each victim's organization. The threat actor's ultimate goal appears to be data extortion.
Key Points: • Threat actor O-UNC-066, known as 'Pink', is behind the vishing campaign targeting Microsoft 365 users. • The campaign exploits a new Microsoft feature for passkey enrollment, launched in May 2026. • Phishing sites mimic legitimate Microsoft processes, collecting user credentials and MFA responses.