Pink Vishing Enrolls Rogue Entra Passkeys on M365 Tenants
Okta and Unit 42 attribute an ongoing vishing campaign — active since April — that walks Microsoft 365 users through enrolling a passkey the attacker controls.
Okta and Palo Alto Networks Unit 42 attribute an ongoing vishing campaign to O-UNC-066, an operator under The Com’s “Pink” extortion brand, that walks Microsoft 365 users through enrolling an Entra passkey the attacker controls. Active since April 2026, per BleepingComputer’s coverage of the joint Okta / Unit 42 write-up published 2026-07-08. Confidence: high.
What’s confirmed
- Active window. April 2026 through publication, per Okta. Confidence: high.
- Attribution. O-UNC-066, running under the “Pink” extortion brand aligned with The Com — the same loose youth-run crime ecosystem tied to Scattered Spider-adjacent activity through 2024–2025. Confidence: as-reported by Okta and Unit 42.
- Target sectors. Food and beverage, technology, healthcare, automotive, construction, aviation. Not sector-specific tradecraft — the operator takes any tenant whose helpdesk answers. Confidence: high.
- Mechanism. A voice pretext — the caller poses as internal IT or a Microsoft-branded security team walking the user through a “passkey upgrade” or “security verification.” The victim is directed to an operator-controlled site impersonating the Entra passkey-enrollment page, and whatever MFA challenge lands — TOTP, push, SMS — is relayed in real time to a live PHP operator panel. The panel drives the real Microsoft session in the background. The passkey that gets registered belongs to the operator, not the user. Confidence: high.
- Persistence value. Passkeys, unlike push-approval fatigue, are supposed to be phishing-resistant. A rogue enrolled key defeats that assumption for as long as it sits on the account — and it will sit until someone audits the credential list. Confidence: high.
What’s uncertain — treat accordingly
- Victim count and named victims. Not disclosed. Do not extrapolate campaign volume from the sector list — the sector list is what Okta and Unit 42 have observed, not the ceiling. Confidence: unconfirmed.
- Overlap with concurrent M365 tradecraft. This is the third named M365 identity-abuse cluster surfacing in this quarter’s reporting — ARToken / EvilTokens on 2026-07-04, DEBULL on 2026-07-08, and Pink vishing running since April but disclosed today. Different mechanics, same target surface. Whether operators share tooling or affiliates is not established. Confidence: unconfirmed — treat accordingly.
What to do
- Audit passkey enrollments across Entra accounts against expected device-provisioning events. A passkey registered outside a known provisioning window is the signal Okta specifically calls out — the rogue key is only useful to the operator as long as it stays enrolled.
- Verify inbound helpdesk-style calls out of band. Okta’s first recommendation: an identity-verification challenge for anyone calling a user claiming to be internal IT or Microsoft. A call-back to a known internal number is the low-effort version.
- Deny authentication from geographies you do not operate in. Named-location Conditional Access — Okta’s second recommendation. It doesn’t stop the call itself, but it makes the stolen session harder to convert into hands-on access.
- On suspected exposure, reset the account’s passkeys and revoke refresh tokens. Even if the user “hung up before entering anything,” the relay is fast enough that a partial interaction is not a safe assumption.
Anyone who moved M365 to passkey-first in the last quarter thinking phishing was solved — this is the answer. The trust model was device provenance, not “the user won’t hand it over.”
Timeline
- April 2026 — earliest observed activity, per Okta.
- 2026-07-08 — Okta and Palo Alto Networks Unit 42 publicize the campaign. BleepingComputer covers the same day.
Filed as active campaign, attribution as-reported. This piece gets an update if Okta, Unit 42, or Microsoft Threat Intelligence names victims or ties Pink to a broader intrusion set on this cluster.
Found this useful? Share it.

