Cybercriminals have discovered a novel method to compromise corporate Microsoft accounts by taking advantage of the very feature designed to secure them: passkeys. The threat group, identified as O UNC 066 and also known as Pink by Palo Alto Networks Unit 42, has been orchestrating a phone-based phishing campaign since April 2026. The campaign tricks employees into registering an attacker-controlled passkey on their own accounts. This scheme cleverly combines social engineering with a customized phishing kit. Attackers reach out directly to employees, convincing them of the necessity for a new passkey, a request that seems plausible due to Microsoft's recent efforts to promote passwordless sign-in. Victims are then guided to a fraudulent login page that mimics their company's branding. Behind this facade is an operator-controlled panel rather than an automated tool.

A live attacker assists each victim through the entire process, adjusting fake screens based on whether the account employs SMS codes, authenticator app prompts, or push notifications. This real-time intervention makes the attack difficult to detect with automated security systems. Security researchers from Okta have investigated and detailed this campaign, indicating that the attackers' primary aim is data theft for extortion rather than immediate financial theft. Okta's report, shared with Cyber Security News, reveals that the attackers have been linked to a public data leak site used to pressure victims.

The industries impacted include food and beverage, technology, healthcare, automotive, construction, and aviation. This campaign is particularly noteworthy for turning a security upgrade into an attack vector. Instead of stealing a password once and moving on, attackers use the fake enrollment to establish a persistent presence within the account, which can endure a password reset.

The attack begins when a target receives a call from someone pretending to be IT support, insisting on the registration of a new passkey. The caller provides a link containing the term 'passkey', hosted on a domain designed to appear legitimate. Once accessed, the kit guides the victim through a sequence that replicates Microsoft's genuine sign-in process. After capturing the credentials, the attackers can access the real account swiftly. Depending on the multi-factor authentication method used, the victim sees a corresponding fake screen, whether a one-time code prompt, an authenticator app number match, or an SMS page. The attacker relays the necessary code, using the victim as an unwitting proxy to bypass MFA protection.

Once past authentication, the kit presents a passkey setup screen, asking the victim to save a recovery phrase constructed from BIP 39-style words, a tactic borrowed from cryptocurrency wallets. This step is purely a distraction while the attacker registers their passkey in the background. A final confirmation screen reinforces the illusion of a successful passkey creation. Since Microsoft sends a legitimate notification when a new passkey is added, victims often disregard the email, assuming they have completed the process themselves. Researchers noted that the kit does not interact with third-party identity providers, so organizations using external federation have not shown signs of direct compromise. Organizations relying solely on native authentication remain vulnerable. To mitigate risk, security teams should enroll users in phishing-resistant authenticators and train staff to verify the identity of anyone claiming to be from IT support before following instructions. Restricting account access based on device status, geography, and network context can also reduce takeover risk. Organizations should configure alerts for every authenticator lifecycle event to flag unexpected passkey registrations promptly. Given how convincingly this kit imitates a routine update, staff awareness on passkey scams may prove as valuable as technical controls.