Skip to main content
Emerging Threats

Phishing Campaign Targets Microsoft 365 Users with Voice-Based Entra Passkey Scam

Person sitting at desk with concerned expression, looking at phone near open laptop.

"[The phishing kit] is an operator-controlled PHP panel in which a threat actor steers victims through various stages of authentication in close to real-time using a 1-second heartbeat polling mechanism," explains Okta.

The attack in plain terms

Since April, a threat actor has been calling Microsoft 365 users across multiple sectors and urging them to enroll a new Entra passkey, then directing those users to phishing URLs that include the word “passkey” in the domain. The malicious sites mimic the legitimate Microsoft Entra passkey enrollment portal and carry the target organization’s branding. While victims believe they are completing a security upgrade, the attacker is registering a passkey that the attacker controls.

The phishing kit and real-time steering (Okta)

Okta’s analysis describes a phishing kit that is not a simple static page or a classic adversary-in-the-middle proxy. Instead, it is an operator-controlled PHP panel that relays credentials and multi-factor authentication (MFA) responses to the attacker and allows the operator to adapt the flow to the victim’s MFA method — including time-based one-time passwords (TOTP), push notifications with number matching, and SMS OTP. Okta says the kit uses a 1-second heartbeat polling mechanism so the operator can guide a victim through authentication stages in near real time.

After obtaining credentials and MFA responses, the attacker authenticates to the victim’s Microsoft account and presents fake Microsoft-branded passkey registration pages. The site prompts victims to save a fake BIP-39 recovery phrase and to confirm one word — a step Okta notes has no role in legitimate Microsoft Entra passkey enrollment and appears to be a distraction for unfamiliar users.

Attribution: Okta’s O-UNC-066 and Palo Alto Unit 42’s Pink

Okta attributes the activity to an actor it calls O-UNC-066, which the company says operates an extortion operation known as Pink. Palo Alto Networks Unit 42 describes Pink as a new extortion brand affiliated with the decentralized threat network called The Com (short for The Community). Brad Duncan, Principal Threat Researcher at Palo Alto Networks Unit 42, noted in early June that some of the phishing domains used by Pink included the word "passkey."

Palo Alto researchers reported that Pink uses vishing and IT-impersonation tactics to collect credentials and MFA codes, then moves quickly to exfiltrate data. The group launched an extortion site on May 31 where it publishes samples of stolen data to pressure victims into paying.

Targets, exfiltration, and observed industries

Okta reports that O-UNC-066 has targeted organizations in food and beverage, technology, healthcare, automotive, construction, and aviation. After gaining access to compromised accounts, researchers say Pink rapidly exfiltrates data from SharePoint and OneDrive services, using the account access to collect material to publish on its extortion site.

What this means for technologists, helpdesk staff, and affected enterprises

  • Technologists and security teams: Okta recommends establishing methods to better verify the identity of helpdesk personnel when contacting users and denying requests from locations where the company does not offer services. The Picus whitepaper cited in the reporting also highlights a detection gap, stating security teams log 54% of successful attacks but alert on only 14%, underscoring opportunities to test SIEM and EDR rules against this class of deception.
  • Helpdesk staff and end users: Because the campaign uses voice calls to direct targeted users into a crafted enrollment flow, frontline employees who handle reset or enrollment requests should verify caller identity and be trained to treat unsolicited passkey enrollment requests as suspicious.
  • Affected enterprises in named industries: Organizations that rely on Microsoft 365 and Entra for identity should inventory where passkey enrollment is enabled and review administrative options opened in May that allow administrators to run “passkey registration campaigns,” since that administrative capability is the feature the attacker is imitating.

The campaign combines phone-based social engineering with a responsive, operator-driven phishing kit and rapid post-login data collection. The facts reported by Okta and Palo Alto Networks show a multi-step operation: vishing to lure users, a tailored phishing flow to harvest credentials and MFA responses, registration of an attacker-controlled passkey, and swift exfiltration of SharePoint and OneDrive content followed by public extortion. Organizations relying on Entra and Microsoft 365 access should treat unsolicited passkey enrollment prompts as high-risk and harden verification of any helpdesk-initiated requests.

Original story