A cyber extortion group is exploiting Microsoft Entra passkey enrollment as part of a sophisticated voice-phishing campaign, manipulating employees into approving attacker access and potentially registering a passkey controlled by the criminals on their Microsoft 365 accounts.
TL;DR
- Okta has tracked the campaign since April 2026 under the identifier O-UNC-066.
- Attackers impersonate IT support and direct employees to customized Microsoft Entra phishing pages.
- The phishing kit adapts in real time to SMS codes, authenticator prompts and number-matching challenges.
- Enterprises across six major industries have been targeted, with data theft and extortion identified as the attackers’ primary motivation.
How Does The Microsoft Entra Passkey Enrollment Attack Work?
According to Okta Threat Intelligence, the operation has been active since April 2026 and is connected to a data-leak site named Pink. Palo Alto Networks Unit 42 reportedly tracks the related cluster as CL-CRI-1147.
The campaign begins when an attacker calls a targeted employee while pretending to represent the organization’s IT or security team. The employee is told that they must register a new Microsoft Entra passkey and is directed to a malicious domain that commonly includes the word “passkey.”
The phishing site copies Microsoft’s interface and incorporates the targeted company’s legitimate logo, background and branding. Generic visual components are loaded from Microsoft’s content delivery network, making the page appear more convincing.
Unlike conventional adversary-in-the-middle phishing tools, the kit uses an operator-controlled PHP panel. A one-second polling mechanism lets the operator control what the victim sees and adapt the process as the legitimate Microsoft authentication flow changes.
“The operator can use the kit to adapt the user experience to each victim’s MFA requirements,” Okta said, noting that it supports time-based one-time passwords, SMS codes and push notifications with number matching.
Credentials entered into the fake portal are sent to the operator, who uses them on Microsoft’s legitimate sign-in page. The phishing site displays a processing screen while the attacker checks which multifactor authentication challenge appears and then presents a matching prompt to the victim.
Once the employee approves the challenge, the attacker gains access to the Microsoft 365 account. The victim is then shown a fake passkey registration process while the attacker may register a credential under their own control.
The kit can also display a Microsoft-branded page asking the employee to save a recovery key consisting of BIP-39 seed words. Okta said it was unaware of any legitimate role for BIP-39 phrases in Microsoft Entra passkey registration, suggesting that the page is intended to distract or reassure unfamiliar users.
Topics For More Insights
Which Enterprises Are Being Targeted?
Okta observed targeting across the food and beverage, technology, healthcare, automotive, construction and aviation sectors. The researchers identified data extortion as the operation’s primary motivation, making corporate email, cloud files and other Microsoft 365 resources potential targets.
The timing strengthens the social-engineering pretext. Microsoft introduced passkey registration campaigns that allow administrators to encourage employees to enroll passkeys during sign-in, giving fraudulent enrollment calls an appearance of legitimacy.
However, the attack does not break FIDO2 passkey cryptography. Microsoft says passkeys use origin-bound public-key cryptography and are “almost impossible to phish.” Instead, the campaign targets weaker authentication methods and employee trust during the enrollment stage.
Microsoft requires users to complete MFA within five minutes before registering a passkey. Administrators can also enforce authenticator attestation, restrict approved models or providers, delete unauthorized passkeys and apply phishing-resistant authentication strengths through Conditional Access.
The incident highlights an emerging enterprise security challenge: even phishing-resistant credentials can be undermined when attackers compromise the process used to issue them.
