Tech News

Microsoft 365: While the Victim Is on the Phone, the Attacker Enrolls Their Own Entra Passkey

Since April 2026, a cybercriminal group has been using vishing to try to convince users to register a new Entra passkey. The pretext is well chosen: Microsoft is currently pushing companies to migrate their users to this authentication method. But by the time the call ends, the passkey that gets enrolled is the attacker’s. Here’s what you need to know about this campaign.

A manually operated phishing kit, in real time

This malicious activity is tracked by Okta under the name O-UNC-066, a cluster that Palo Alto Networks Unit 42 identifies as Pink. According to Okta, the campaign targets companies in the food and beverage, technology, healthcare, automotive, construction, and aerospace sectors. The attackers’ main motivation is data extortion.

Forget the initial email contact here: it all starts with a phone call. The attacker poses as IT support and tells the target they need to register a new passkey "for security reasons". The user is then directed to a subdomain created specifically for their organization, on domain names containing the word passkey. Okta cites in particular: assignpasskey[.]com, deploypasskey[.]com, passkeydeploy[.]com, passkeyadd[.]com and setpasskey[.]com, hosted by DDoS-Guard (AS57724, Russia) and IQWeb FZ-LLC (AS59692, United States).

The page mimics the Entra ID sign-in portal and the Microsoft-style elements are loaded from Microsoft’s CDN. To make the trap look even more convincing, the targeted company’s logo and background are also embedded, but the attacker places them directly on the server side.

The distinctive feature of this phishing kit is that the operation is driven live by a human. "This kit is not a transparent Adversary-in-the-Middle (AitM) proxy, one of the most common types of phishing kits, designed to collect credentials, multifactor authentication (MFA) tokens, and session tokens. It is a PHP panel controlled by an operator, in which a malicious actor guides victims through different authentication steps in near real time, using a one-second 'heartbeat' polling mechanism.", reads Okta’s report.

This allows the attacker to adapt the process throughout the conversation with the victim, including displaying the MFA method expected by Microsoft:

  • TOTP challenge: the victim is sent to a /submit-authenticator page.
  • SMS code: the victim lands on /submit-otp.
  • Push notification with number matching: the victim sees an /approve-authenticator page and enters in their app the number dictated by the operator.

The credentials and MFA responses are relayed to the attacker’s control panel (/backend.php), which replays them live on the real Microsoft login page. Meanwhile, the user is shown a waiting page.

The attacker enrolls the passkey

Once access is obtained, the attacker can finally move on to enrolling their passkey. But they still need to keep the victim on the line and occupied while they carry out the necessary steps. The victim, meanwhile, ends up on a new Microsoft-branded page prompting them to "save their recovery key", which keeps them busy for a few seconds.

"On the /passkey page, the targeted user is redirected to a Microsoft-branded page that encourages them to 'register their recovery key' from a list of BIP-39 phrases controlled by the attacker." This has nothing to do with the usual Microsoft Entra process.

Source: Okta

Meanwhile, the attacker enrolls their own passkey. If the attacker keeps the victim on the line until the end, that is probably the reason: Microsoft sends an email notification whenever a passkey is registered. The difference is that the enrolled passkey belongs to the attacker, not the victim (the recovery key backup is entirely fake). Okta says the attacker must choose the passkey name, which can be inspired by the recovery phrase the victim has just saved. As a result, the legitimate email will look perfectly normal to the user, since they believe it matches what they have just done.

When a best practice becomes a pretext

The choice of passkey is no accident. "Starting in May 2026, Microsoft administrators can create passkey enrollment campaigns that prompt users to enroll at sign-in, and in some circumstances, these prompts are enabled by default.", write Okta researchers. In other words, an employee asked to register a passkey has no particular reason to be suspicious. They may have already seen the prompt in their browser or received an internal communication about it. The broader shift toward phishing-resistant authentication, which Microsoft has accelerated since Entra passkeys were enabled for Windows sign-in, is being used as cover by attackers.

There is also a paradox here: passkeys are designed to resist phishing, since the private key never leaves the device and authentication is bound to the site origin. Attackers therefore are not going after the passkey itself, but rather the enrollment process, and the classic password + MFA combo that protects access to that process.

Okta’s recommendations boil down to a few points, all of which apply beyond its own customers:

  • Enroll users with phishing-resistant authentication methods for MFA (passkeys, smart cards) to eliminate SMS codes and TOTP. In this case, that would be a real obstacle because the attacker would not be able to sign in to the victim’s account.
  • Establish, communicate, and follow a procedure to verify the identity of a support caller when they contact a user.
  • Block requests coming from geographic regions where the organization does not operate (country, ASN, or IP filtering).
  • Restrict access to sensitive applications to managed devices protected by endpoint security tooling.
  • Notify users of every event in the lifecycle of their authentication methods, including passkey additions.

Vishing (voice phishing) is a real threat to businesses. Just a few days ago, I mentioned fake IT support calls on Teams used to deploy the EtherRAT malware.

author avatar
Florian Burnel Co-founder of IT-Connect
Systems and network engineer, co-founder of IT-Connect and Microsoft MVP "Cloud and Datacenter Management". I'd like to share my experience and discoveries through my articles. I'm a generalist with a particular interest in Microsoft solutions and scripting. Enjoy your reading.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.