PINK VISHING: How One Phone Call Lets Attackers Hijack Your Microsoft Entra Passkey – And Your Entire Cloud + Video

Listen to this Post

Featured Image

Introduction:

Since April 2026, a threat actor tracked as O‑UNC‑066 (also known as “Pink” by Palo Alto Networks Unit 42) has been running a focused vishing campaign that weaponizes Microsoft Entra passkey enrollment as a social‑engineering vector to enable account takeover and downstream data extortion. The attackers combine live voice calls impersonating internal IT support with an operator‑controlled PHP phishing panel that polls victim sessions every second, steering targets through a counterfeit passkey registration flow while silently registering an attacker‑controlled passkey in the victim’s Microsoft 365 account. What makes this campaign particularly dangerous is its timing: as of May 2026, Microsoft administrators have been able to create passkey registration “nudge” campaigns that prompt users to enroll at sign‑in – a legitimate feature that attackers now exploit as a pretext.

Learning Objectives:

  • Understand the technical mechanics of the O‑UNC‑066 vishing campaign, including domain infrastructure, operator‑controlled PHP panels, and real‑time MFA bypass techniques.
  • Learn how attackers abuse legitimate Microsoft Entra passkey enrollment flows to register their own credentials while deceiving victims with fake BIP‑39 recovery screens.
  • Implement detection, mitigation, and hardening strategies – including Conditional Access policies, logging, and user training – to defend against operator‑driven social‑engineering attacks.

1. Domain Infrastructure and Phishing Kit Architecture

The threat actor begins by registering domains that include the term “passkey” to lend an air of legitimacy to the operation. Observed base domains include:

– `assignpasskey[.]com`
– `deploypasskey[.]com`
– `passkeydeploy[.]com`
– `passkeyadd[.]com`
– `setpasskey[.]com`

From these base domains, the attackers create per‑target subdomains – for example, `victimcompany.assignpasskey[.]com` – so that each victim sees a URL that appears customised to their organisation. The phishing infrastructure has been hosted on DDoS‑Guard (AS57724) and IQWeb FZ‑LLC (AS59692), with servers located in Russia and the United States.

The phishing kit itself is not a passive adversary‑in‑the‑middle proxy; it is an operator‑driven PHP panel where attackers poll the victim session with a ~1‑second heartbeat and push pages tailored to the victim’s MFA configuration (TOTP, SMS OTP, or push with number matching). Pages load generic Microsoft styling from Microsoft’s CDN, while victim‑specific branding (logos, backgrounds) is pre‑staged and served from the phishing kit backend to increase authenticity.

Step‑by‑step: What the attacker does

  1. Domain registration & subdomain creation – Register a passkey‑themed domain and create a subdomain for each target organisation.
  2. Voice call (vishing) – Call the victim, impersonating IT support, and claim an urgent need to enrol a new passkey.
  3. Phishing page delivery – Guide the victim to the custom subdomain, which loads a realistic Microsoft Entra sign‑in page.
  4. Credential harvesting – The victim enters their username and password; these are forwarded to the operator panel in real time.
  5. Real‑time MFA relay – The operator uses the stolen credentials to authenticate to the legitimate Microsoft login. When MFA is triggered, the kit presents specific pages (/submit-otp for SMS, `/submit-authenticator` for TOTP, `/approve-authenticator` for push), and the victim’s submitted codes are relayed to complete the challenges.
  6. Attacker passkey registration – Once the attacker gains access, they enrol their own passkey in the victim’s Microsoft account while the victim completes a convincingly bogus passkey ceremony on the phishing site.
  7. Distraction with fake recovery key – The kit displays a faux “save your recovery key” screen showing BIP‑39‑style seed phrases and word‑position verification – elements unrelated to Microsoft Entra passkey mechanics – to distract the victim while the attacker registers the passkey.
  8. Legitimate email notification – Microsoft sends a legitimate email notification when a new passkey is added. Attackers name the passkey benignly (even reusing terms from the fake seed phrase) to reduce suspicion.

Detection commands (Linux / Windows)

  • DNS monitoring – Use `dig` or `nslookup` to monitor for newly created subdomains under suspicious passkey‑themed domains:
    dig assignpasskey.com ANY
    nslookup victimcompany.assignpasskey.com
    
  • Proxy / firewall logs – Search for outbound connections to the IOC domains:
    grep -E "assignpasskey|deploypasskey|passkeydeploy|passkeyadd|setpasskey" /var/log/squid/access.log
    
  • Windows Event Logs – Monitor for successful passkey registrations (Event ID 4624 with authentication package FIDO2):
    Get-WinEvent -LogName Security | Where-Object { $<em>.Id -eq 4624 -and $</em>.Message -match "FIDO2" }
    

2. The Operator‑Controlled Panel and Real‑Time MFA Bypass

The phishing kit’s operator panel is the core of the attack. It uses a 1‑second heartbeat polling mechanism to maintain session state and push the next page in the flow based on the victim’s actions and the operator’s inputs. The panel is designed to handle multiple MFA methods dynamically:

  • SMS OTP – The kit presents /submit-otp; the victim enters the code, which is posted to the backend and used by the operator to complete the SMS challenge on the legitimate Microsoft login.
  • TOTP (Authenticator app) – The kit presents /submit-authenticator; the victim’s time‑based code is relayed.
  • Push with number matching – The kit presents /approve-authenticator; the victim approves the push notification, and the operator captures the session.

This design mirrors tradecraft noted by Okta in late 2025, where callers and phishing kits adapt in real time to script user behaviour. The panel does not attempt to handle federation to third‑party Identity Providers such as Okta, suggesting the attackers focus exclusively on Microsoft Entra environments.

Step‑by‑step: How the panel works

  1. Initialisation – The victim lands on the phishing page; the panel creates a session and begins polling with a 1‑second heartbeat.
  2. Credential capture – The victim submits username/password; the panel forwards these to the operator and displays a “processing” page while the operator authenticates to the real Microsoft login.
  3. MFA detection – The operator’s authentication attempt triggers an MFA challenge. The panel detects the challenge type (SMS, TOTP, or push) and dynamically serves the corresponding page.
  4. Code relay – The victim submits the MFA code; the panel posts it to the operator’s browser, which completes the challenge on the legitimate login.
  5. Passkey registration – With the session now authenticated, the operator uses the legitimate Microsoft Entra interface to register a new passkey (FIDO2 credential) under the victim’s account.
  6. Fake ceremony – Simultaneously, the victim is guided through a fake passkey creation flow on the phishing site, complete with a BIP‑39 recovery phrase screen, keeping them unaware of the actual registration happening in the background.

Mitigation commands and configurations

  • Conditional Access policy to require phishing‑resistant MFA – In the Microsoft Entra admin centre, create a policy that requires authentication strength “Phishing‑resistant MFA” (which includes FIDO2 passkeys) for all users. This does not prevent the attack but ensures that only passkeys – not SMS or TOTP – are accepted for sensitive access.
  • Monitor for anomalous passkey registrations – Use Microsoft Graph API to list recently registered authentication methods:
    Get-MgUserAuthenticationFido2Method -UserId "[email protected]"
    
  • Alert on mass subdomain creation – Implement a SIEM rule that triggers when DNS queries for subdomains under newly registered passkey‑themed domains are observed.

3. Social Engineering and the “Nudge” Pretext

The campaign’s success hinges on a well‑timed pretext. As of May 2026, Microsoft administrators have been able to create passkey registration campaigns that remind or “nudge” users to enrol in passkeys at sign‑in. Attackers exploit this by calling employees and claiming that IT has initiated a mandatory passkey enrolment campaign, and that the user must complete it immediately to avoid losing access.

Victims span multiple enterprise verticals, including food and beverage, technology, healthcare, automotive, construction, and aviation. The attackers’ native‑English‑speaking operators script convincing calls, often referencing the user’s actual manager or recent security incidents to build credibility.

Step‑by‑step: What defenders should do

  1. Educate users – Train employees to verify any unsolicited call claiming to be from IT, especially if it asks them to visit a website or provide MFA codes. Implement a “call‑back” procedure where users hang up and call the official IT helpdesk number.
  2. Deploy vishing simulations – Run targeted vishing and social‑engineering simulation training to test and improve user resilience.
  3. Implement user‑reporting – Encourage users to report suspicious calls immediately; integrate this into your security operations workflow.
  4. Brand your legitimate enrolment pages – Use custom branding in Microsoft Entra so users can recognise the official login page. Attackers mimic this branding, but consistent communication about what the official page looks like helps users spot fakes.

Useful PowerShell command to audit passkey enrolments

 List all FIDO2 passkey registrations in the tenant (requires AzureAD module)
Get-AzureADUser -All $true | ForEach-Object {
$user = $_
Get-AzureADUserFido2Key -UserId $user.UserPrincipalName | 
Select-Object @{N="User";E={$user.UserPrincipalName}}, CreationDateTime, Model, Name
} | Export-Csv -Path "PasskeyAudit.csv" -1oTypeInformation

4. Attacker Attribution: O‑UNC‑066 / Pink

The campaign is attributed to a cluster tracked as O‑UNC‑066 (called “Pink” by Unit 42). This group is associated with a data extortion operation and has been active since at least April 2026. They do not rely on traditional malware; instead, they use voice phishing (vishing) to manipulate employees into visiting credential‑stealing domains. Once access is obtained, they publish a data leak site – a leak site was observed on May 31, 2026.

The group’s phishing kits target both Okta and Entra ID environments and include extreme vetting from sandboxes and researchers, as well as real‑time verification for the kits’ visibility. This suggests a high level of operational security and a professional phishing‑as‑a‑service model.

Detection indicators (IOCs)

  • Domains: assignpasskey[.]com, deploypasskey[.]com, passkeydeploy[.]com, passkeyadd[.]com, `setpasskey[.]com`
    – ASNs: AS57724 (DDoS‑Guard), AS59692 (IQWeb FZ‑LLC)
  • PHP panel paths: /submit-otp, /submit-authenticator, `/approve-authenticator`
    – Fake recovery screens: Pages displaying BIP‑39 seed phrases

Blocking commands (Linux firewall)

 Block known malicious domains at the network level
echo "127.0.0.1 assignpasskey.com deploypasskey.com passkeydeploy.com passkeyadd.com setpasskey.com" >> /etc/hosts

Or use iptables to drop traffic to these domains (resolve IPs first)
iptables -A OUTPUT -d <IP_of_malicious_domain> -j DROP

5. Hardening Microsoft Entra Against Passkey‑Based Attacks

While the attack does not exploit a vulnerability in passkey cryptography, it abuses the enrolment process. Defenders can take several steps to harden their Entra environment:

  1. Enforce phishing‑resistant MFA – Require FIDO2 passkeys or Windows Hello for Business for all administrative and high‑risk users. Use Conditional Access policies with “Require authentication strength” set to “Phishing‑resistant MFA”.
  2. Disable legacy MFA methods – Where possible, disable SMS, voice calls, and TOTP for high‑privilege accounts, as these are phishable.
  3. Use passkey attestation – Enable attestation in the passkey (FIDO2) policy. When attestation is enabled, Microsoft Entra ID tries to verify the legitimacy of the passkey being created, ensuring that only genuine Authenticator apps or FIDO2 security keys are used.
  4. Monitor enrolment campaigns – Regularly audit the “Registration campaigns” feature in the Microsoft Entra admin centre (Entra ID > Authentication methods > Registration campaigns) to ensure no unauthorised campaigns have been created.
  5. Implement user training – As noted, the attack is social engineering, not a technical flaw. Regular training on vishing and passkey enrolment is critical.

Azure CLI command to list authentication methods for a user

az rest --method GET --uri "https://graph.microsoft.com/v1.0/users/[email protected]/authentication/methods" --headers "Content-Type=application/json"

6. Forensic Investigation and Incident Response

If a passkey‑based account takeover is suspected, investigators should:

  1. Review Microsoft Entra audit logs – Look for events related to FIDO2 passkey registration (Add FIDO2 security key) and note the timestamp, IP address, and device information.
  2. Check for new passkeys – Use the Graph API or PowerShell to list all FIDO2 methods for the compromised user and identify any unfamiliar credentials.
  3. Revoke attacker passkeys – Remove any unauthorised passkeys immediately.
  4. Reset credentials – Force a password reset and revoke all refresh tokens.
  5. Investigate lateral movement – Check for suspicious sign‑ins, mailbox rules, or data exfiltration after the compromise.

PowerShell script to revoke all FIDO2 keys for a user

 Requires Microsoft.Graph module
Connect-MgGraph -Scopes "UserAuthenticationMethod.ReadWrite.All"
$user = Get-MgUser -UserId "[email protected]"
$fido2Methods = Get-MgUserAuthenticationFido2Method -UserId $user.Id
foreach ($method in $fido2Methods) {
Remove-MgUserAuthenticationFido2Method -UserId $user.Id -Fido2AuthenticationMethodId $method.Id
}

What Undercode Say:

  • Key Takeaway 1 – The O‑UNC‑066 campaign is a masterclass in blending legitimate Microsoft functionality (passkey “nudge” campaigns) with real‑time social engineering. The attackers do not break cryptography; they break the human process around credential creation.
  • Key Takeaway 2 – The use of an operator‑controlled PHP panel with a 1‑second heartbeat represents an evolution in phishing‑as‑a‑service. This is not a static phishing page; it is an interactive session that adapts to the victim’s MFA configuration in real time, making detection by traditional URL‑blocking or static analysis nearly impossible.

Analysis:

This campaign exposes a critical gap in many organisations’ identity strategies: while passkeys themselves are phishing‑resistant, the enrolment process is not. Attackers have identified that the moment a strong credential is created is also the moment a user is most vulnerable to social engineering. The fake BIP‑39 recovery screen is a particularly clever distraction – it has no relation to Microsoft Entra passkeys but confuses victims long enough for the attacker to complete the real registration. The campaign also highlights the dangers of “nudge” campaigns: a legitimate administrative feature intended to improve security has been repurposed as a pretext for attack. Organisations must therefore treat any unsolicited communication about passkey enrolment as high‑risk and implement layered defences that include user education, Conditional Access policies, and continuous monitoring of authentication method changes. The fact that the group operates a data leak site indicates that this is not opportunistic credential theft but a structured extortion operation targeting sensitive enterprise data.

Prediction:

  • +1 – The exposure of this campaign will accelerate Microsoft’s efforts to add additional safeguards to passkey enrolment, such as requiring admin approval for new passkey registrations or sending more prominent notifications when a passkey is added. This could make the attack harder to execute in the future.

  • -1 – As passkey adoption grows, we will see a surge in vishing campaigns targeting the enrolment process across all major identity providers (Okta, Google, AWS IAM). Attackers will refine their scripts and panels, potentially adding AI‑powered voice cloning to make calls even more convincing.

  • -1 – Small and medium‑sized businesses that lack dedicated security teams will be disproportionately affected, as they are less likely to have the monitoring capabilities or user training programmes needed to detect and respond to these attacks.

  • +1 – The campaign will drive increased demand for vishing simulation training and real‑time threat intelligence feeds that can detect newly registered passkey‑themed domains, creating opportunities for security vendors to innovate in the social‑engineering defence space.

  • -1 – Unless Microsoft introduces rate‑limiting or additional verification for passkey registrations from new devices or locations, attackers will continue to abuse the enrolment flow, and we may see this technique adopted by other ransomware groups as a standard initial‑access vector.

▶️ Related Video (72% Match):

https://www.youtube.com/watch?v=0qZzcK1mHwA

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Mayura Kathiresh – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky