Cybercriminals have found a new way to hijack corporate Microsoft accounts by exploiting the very feature meant to protect them: passkeys.
A threat group tracked as O UNC 066, also called Pink by Palo Alto Networks Unit 42, has run a phone based phishing campaign since April 2026 that tricks employees into registering an attacker controlled passkey on their own accounts.
The scheme mixes social engineering with a custom phishing kit. Attackers call employees directly and convince them their account needs a new passkey, a message that sounds routine given Microsoft’s recent push to nudge users toward passwordless sign in.
The victim is guided to a fake login page mirroring their own company’s branding. Behind that page sits an operator controlled panel rather than a fully automated tool.
A live attacker walks each victim through the process step by step, adapting fake screens depending on whether the account uses SMS codes, authenticator app prompts, or push notifications.
This real time control makes the attack harder to catch through automated defenses. Security researchers from Okta identified and detailed this campaign, noting the group’s main goal appears to be data theft for extortion rather than immediate financial fraud.
Okta said in a report shared with Cyber Security News (CSN) that the attackers have already been linked to a public data leak site used to pressure victims.
Affected industries span food and beverage, technology, healthcare, automotive, construction, and aviation. What makes this campaign notable is how it turns a security upgrade into a weapon.
Rather than stealing a password once and moving on, attackers use the fake enrollment to plant a persistent foothold inside the account, one that can outlast a password reset.
Hackers Abuse Microsoft Entra Passkey Enrollment
The attack begins when a target gets a call from someone posing as IT support, insisting a new passkey must be registered. The caller sends a link containing the word passkey, hosted on a domain built to look official.
Once opened, the kit walks the victim through a sequence copying Microsoft’s real sign in flow. A loading screen appears first, followed by a request for the username and password.
Those credentials are captured and sent to the attacker’s backend panel, letting the operator log into the real account within seconds.

Depending on which multi factor method the account uses, the victim sees a matching fake screen, whether a one time code prompt, an authenticator app number match, or an SMS page.
The attacker relays whatever code the real system requests, using the victim as an unwitting proxy to defeat their own MFA protection.
Once past authentication, the kit shifts into its final act. It shows a passkey setup screen and asks the victim to save a recovery phrase built from BIP 39 style words, a technique borrowed from cryptocurrency wallets.
This step does nothing for the account. It exists purely to occupy attention while the attacker registers their own passkey in the background.
A final confirmation screen tells the victim their passkey was successfully created, reinforcing the illusion.
Since Microsoft sends a legitimate notification when a new passkey is added, victims often dismiss that email, believing they completed the process themselves.
Infrastructure And Recommended Defenses
Researchers noted the kit does not interact with third party identity providers, so organizations using external federation have not shown signs of direct compromise.
Any organization relying on native authentication alone remains at risk. To limit exposure, security teams should enroll users in phishing resistant authenticators and train staff to verify the identity of anyone claiming to be from IT support before acting on instructions.

Restricting account access by device status, geography, and network context can also reduce takeover risk.
Organizations should configure alerts for every authenticator lifecycle event so unexpected passkey registrations get flagged immediately.
Given how convincingly this kit imitates a routine update, staff awareness on passkey scams may prove just as valuable as technical controls.
Indicators of compromise (IoCs):-
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Prevent critical incidents and financial loss with stronger proactive defense. Integrate a live threat feed from 15K SOC Teams.
Click Here For The Original Source.
