Okta Warns Microsoft 365 Users of April Vishing Campaign Stealing Credentials via Fake Passkey Pages
Updated
Updated · SecurityWeek · Jul 10
Okta Warns Microsoft 365 Users of April Vishing Campaign Stealing Credentials via Fake Passkey Pages
1 articles · Updated · SecurityWeek · Jul 10
Summary
Okta said a vishing campaign that began in April has targeted Microsoft 365 users across multiple sectors, using phone calls and fake Microsoft Entra ID pages to steal credentials and set up attacker-controlled passkeys.
O-UNC-066—also tracked as CL-CRI-1147 and Pink—has hit automotive, aviation, construction, food and beverage, healthcare, and technology organizations, with data extortion appearing to be the main objective.
The phishing kit is operator-controlled rather than fully automated, letting attackers guide victims through passwords and MFA in near real time while customizing pages with legitimate branding and Microsoft CDN-loaded content.
Victims are told they must register a new passkey, then shown fake enrollment steps including BIP-39 recovery phrases, while the attacker quietly registers a real passkey on the compromised Microsoft account.
Okta said the campaign exploits limited user familiarity with passkeys; Microsoft sends a legitimate email when a new passkey is added, but attackers can label the enrolled passkey to make it look benign.
How are elite hackers turning Microsoft's latest security feature into a backdoor for data extortion?
With AI that can clone a voice in seconds, is the human element now the biggest enterprise security flaw?
O-UNC-066’s 2026 Vishing Surge: Inside the "Pink" Group’s Passkey Exploits and Identity-Based Attacks
Overview
Since April 2026, the threat group O-UNC-066 has launched a sophisticated vishing campaign targeting organizations. By using vishing and IT impersonation, they collect credentials and multi-factor authentication codes, allowing them to bypass security layers and gain unauthorized access to corporate networks. Once inside, O-UNC-066 employs advanced phishing tactics, such as phishing kits that mimic passkey registration, to further compromise accounts. After gaining access, they quickly exfiltrate sensitive data and use extortion to pressure victims into paying. This campaign highlights the evolving risks of social engineering and the need for strong defenses against identity-based attacks.