The O-UNC-066 MFA challenge page
At a Glance
| Actor | O-UNC-066 (Okta); tracked as CL-CRI-1147 / “Pink” by Palo Alto Unit 42; linked to The Com |
|---|---|
| Activity type | Vishing plus passkey-enrollment phishing, leading to account takeover and data extortion |
| Targets | Enterprise Microsoft 365 orgs in food and beverage, technology, healthcare, automotive, construction, aviation |
| Scale | Active since April 2026; victim count not disclosed; leak site live since May 31, 2026 |
| Status | No public arrests; tracked activity cluster |
| Source | Okta Threat Intelligence; Palo Alto Networks Unit 42 |
TL;DR
Okta has detailed a vishing attack that turns Microsoft’s passkey rollout into a trap. Attackers phone employees, walk them through a fake passkey setup, and quietly register their own passkey. That hands the crooks durable account access for data extortion.
What Happened
Since April 2026, a group tracked as O-UNC-066 has run a passkey phishing operation against Microsoft 365 tenants. It registers domains that contain the word “passkey,” then calls targeted staff. The caller insists the user must enroll a new passkey.
The timing is deliberate. Since May 2026, Microsoft admins can “nudge” users to add passkeys at sign-in. Some nudges are on by default. So the fake request feels routine.
Victims reach a page that copies the real Entra enrollment portal, complete with their employer’s branding. Behind it sits a live operator. Okta describes “an operator-controlled PHP panel in which a threat actor steers victims through various stages.”
How the kit works
This passkey phishing kit is not a standard adversary-in-the-middle proxy. Instead, a human runs the session in real time, polling once per second. The flow moves through stages: an identify page for the username, a password prompt, then a short “processing” pause. That pause lets the operator log in as the victim.
From there, the operator relays whatever challenge Microsoft shows, whether push, TOTP, or SMS. Next comes the sleight of hand. A fake “recovery key” page shows a BIP-39 seed phrase, a trick borrowed from crypto wallets. Those pages enroll nothing. They keep the user busy while the attacker registers a passkey it controls. “The phishing kit appears to prey on lack of user familiarity with passkey authentication,” Okta notes.
Who Is Behind It
Attribution points to a tracked cluster, not a named person. Okta calls it O-UNC-066. Palo Alto Networks Unit 42 tracks overlapping activity as CL-CRI-1147, under the extortion brand “Pink.” Unit 42 links Pink to The Com, the loose network behind crews like Scattered Spider.
The motive is money. The group runs a data leak site, live since May 31, 2026. On it, the crew states plainly, “Our only goal is profit.” Its infrastructure sits on hosts in Russia and the United States.
Impact and Scale
The payoff is a durable foothold. A rogue passkey is a strong credential that can outlast a password reset. After takeover, the group moves fast to steal SharePoint and OneDrive data, then extorts the victim. Unit 42 says Pink publishes stolen samples and gives victims about 72 hours to pay.
Okta has not published a victim count. One caveat matters, though. Okta says the kit does not federate to third-party identity providers like Okta, and it has not seen direct Microsoft account compromise through its own view. Passkeys themselves stay phishing-resistant; the weak point is the enrollment ceremony.
What Comes Next and How to Stay Safe
Treat any unsolicited “register a passkey” call as hostile. Real IT teams do not cold-call staff to rush an enrollment. So verify helpdesk identity through a trusted channel.
Tell users plainly that Entra passkey setup never uses BIP-39 seed phrases. Watch Entra audit logs for new passkey registrations after odd sign-ins. Also flag domains that contain “passkey,” and shorten session lifetimes for sensitive changes.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.