Cybercriminals have identified a vulnerability in Microsoft Entra’s passkey enrollment system, allowing them to take control of corporate accounts. This exploitation, primarily orchestrated by the threat group O UNC 066, also known as Pink, has been ongoing since April 2026. The attackers employ a sophisticated phishing scheme that persuades employees to register a passkey managed by the criminals themselves.
Phishing Tactics and Attack Methodology
The hackers combine social engineering techniques with a customized phishing toolkit. Employees receive direct phone calls from attackers posing as IT support, urging them to enroll a new passkey due to supposed security needs. This tactic aligns with Microsoft’s recent push for passwordless sign-ins, making the request appear routine.
Victims are directed to a counterfeit login page that mimics their company’s branding. Behind this facade, an attacker manually guides them through the process, adjusting fake screens based on the victim’s authentication methods, whether it be SMS, app prompts, or push notifications. This real-time orchestration complicates detection and circumvents automated defenses.
Campaign Objectives and Industry Impact
According to a report by Okta shared with Cyber Security News, the primary aim of these attacks is data theft for extortion purposes rather than immediate financial gain. The attackers have been linked to a public data leak site used to coerce victims. Industries affected by this campaign include food and beverage, technology, healthcare, automotive, construction, and aviation.
What makes this campaign particularly concerning is its ability to transform a security enhancement into a vulnerability. Instead of simply stealing passwords, the attackers establish a persistent foothold in victims’ accounts, which can endure beyond a password reset.
Defense Strategies and Recommendations
Security experts highlight that while the phishing kit does not interact with third-party identity providers, organizations relying solely on native authentication remain vulnerable. To mitigate risks, companies should implement phishing-resistant authenticators and educate staff to verify any claims made by supposed IT personnel before taking action.
Additional protective measures include restricting account access based on device status, geographic location, and network context. Organizations should also configure alerts for every authenticator lifecycle event to ensure unexpected passkey registrations are promptly flagged.
Given the convincing nature of this attack, raising awareness about passkey scams among staff could be as crucial as technical defenses. Proactive defenses, such as integrating live threat feeds from multiple SOC teams, can prevent critical incidents and financial losses.
To conclude, while Microsoft Entra’s passkey system aims to enhance security, this recent exploitation underscores the need for continuous vigilance and adaptation of security protocols to protect against ever-evolving cyber threats.
