Okta Warns of Vishing Attacks Targeting Microsoft 365 Customers
Okta warns of vishing campaign using fake passkey registration to steal Microsoft 365 credentials.
Summary
Okta has identified a vishing campaign, tracked as O-UNC-066, targeting organizations across multiple sectors to harvest Microsoft 365 credentials. Attackers use voice calls to direct victims to fake Microsoft Entra ID login pages, mimicking passkey registration to gain account access and potentially perform data extortion. The campaign leverages a custom PHP panel that guides victims through authentication and MFA stages in near real-time.
Full text
Organizations across multiple sectors have been targeted in a vishing campaign aimed at harvesting Microsoft 365 credentials, Okta warns. The campaign started in April and has involved voice calls directing the victims to fake Microsoft Entra ID login pages under the pretense that they need to register a new passkey. Tracked as O-UNC-066 and also known as CL-CRI-1147 and Pink, the hacking group has been targeting automotive, aviation, construction, food and beverage, healthcare, and technology organizations, mainly for data extortion. As part of the observed attacks, the threat actor has been registering domains incorporating the word ‘passkey’, and has been directing victims to pages that closely mirror the Microsoft passkey enrollment process. “It appears engineered to convince a targeted user they are in the process of enrolling a passkey with Microsoft, while the threat actor simultaneously registers their own passkey in the targeted user’s Microsoft account,” Okta says. The fake Microsoft Entra ID login pages are customized for each victim from the backend of the phishing kit, using legitimate branding and loading content from Microsoft’s content delivery network.Advertisement. Scroll to continue reading. Unlike other phishing kits, this is an operator-controlled PHP panel that does not automatically collect credentials, multi-factor authentication (MFA) tokens, and session tokens. Instead, the threat actor directs the victim through multiple authentication stages in near-real time, adapting the page’s content and notifications during the session to accommodate various MFA requirements. “It is likely that the threat actor uses the kit to take over the user account and trick the user into approving an attacker-initiated registration of a passkey,” Okta notes. Throughout the various stages of the attack, the phishing pages perform anti-analysis checks, request a username without redirecting to a federated identity provider, and request a password that the operator likely uses in real-time to access the victim’s account. Next, the victim is shown a processing page while the operator likely authenticates to the account to observe the type of MFA that has been enabled and selects what to display to the victim: SMS OTP, TOTP, or push MFA. In line with the campaign’s lure, the attacker can then redirect the user to a passkey registration page, where they are asked to save a recovery key from a list of BIP-39 phrases the threat actor controls. Next, the victim is asked to verify the final word used in the seed phrase. “The phishing kit appears to prey on the lack of user familiarity with passkey authentication. In a real passkey registration ceremony, the user might expect a system dialog to register a passkey on their device. The passkey pages in this phishing kit appear to mimic this process without registering a passkey,” Okta notes. According to the company, BIP-39 seed phrases do not appear to have a direct applicability in Microsoft Entra, and the hacking group may be using this step as a distraction. At the same time, attacker-controlled passkeys are enrolled in the victim’s account. “Any time a user enrolls a passkey with Microsoft, the owner of the compromised account receives a legitimate Microsoft email to notify them that a new passkey has been registered in their account. During an attack, the passkey was actually enrolled by the threat actor directly with Microsoft, and the threat actor is in a position to name the passkey with something the targeted user would view as benign,” Okta explains. Related: Massive Password Spray Campaign Targeting Azure CLI Related: FBI, Google Dismantle ‘Outsider Enterprise’ Phishing Service Related: Google, FBI Disrupt NetNut Residential Proxy Network Powered by Millions of Devices Related: Over 500 Organizations Hit in Years-Long Phishing Campaign Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Ionut Arghire 15-Year-Old Linux Vulnerability ‘GhostLock’ Earns Researchers $92k From GoogleMount Royal University Confirms Data Stolen in Ransomware AttackChrome 150 Update Patches 27 Vulnerabilities8Layers Raises $2.9 Million for Identity Security PlatformUnpatched Backdoor in Tenda Firmware Grants Admin Access to DevicesAccenture Confirms Data Breach After Hacker Claims Source Code TheftChina-Linked APT Expands Arsenal With New ‘Leash’ BackdoorsGoogle Dialogflow CX Bug Allowed Attackers to Hijack AI Conversations Latest News China, India-Linked Hackers Both Targeted Same Pakistani Police ForceGigaWiper Combines Multiple Malware for System-Level Sabotage‘HalluSquatting’ Turns AI Hallucinations Into Botnet Delivery MechanismNetwork of 200 GitHub Repositories Used for Malware InfectionQIZ Security Raises $17 Million for Cryptographic Governance PlatformUK Government Rolls Out Agentic AI Defense Plan Alongside Industry PledgePalo Alto Networks Patches 13 Vulnerabilities12 Million Impacted by Data Breach at Japanese Telco KDDI Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Why Email Security Keeps Failing (And What Has to Change) July 8, 2026 Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more. Register Virtual Event: 2026 Cloud Security Summit July 16, 2026 This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments. Register People on the MoveBlueVoyant has appointed Ravi Subramanian as CFO and Jamie Coleman as CCO.Solana Foundation has appointed Michael Coates as Chief Information Security Officer.Michael Sikorski has joined Coinbase as Chief Information Security Officer.More People On The MoveExpert Insights The Shift Toward Business-Aligned Risk Management Moving from isolated, technical data to a continuous risk lifecycle can help organizations align security controls with actual business consequences. (Steve Durbin) How to Conduct a Successful Audit of AI-Driven Software Development As AI-generated code becomes commonplace, CISOs need new audit strategies to measure developer practices, govern AI tool usage, and identify software risks before they reach production. (Matias Madou) Frontier AI: Six Questions Every Enterprise Should Ask Security Vendors From model selection and automation to validation and measurable results, the right questions can help enterprises separate genuine AI capabilities from marketing hype. (Joshua Goldfarb) The AI Token Costs That Can Break Cybersecurity As cybersecurity platforms embrace agentic AI, organizations must balance detection performance against the escalating costs of token consumption, deployment architecture, and AI credits. (Danelle Au) When Information Becomes the Attack Surface – Understanding AI Agent Traps From hidden content injections to cognitive state poisoning, attackers are turning trusted data sources into traps for autonomous AI. (Etay Maor) Flipboard Reddit Whatsapp Whatsapp Email
Indicators of Compromise
- mitre_attack — T1566.002
- mitre_attack — T1078.004
- mitre_attack — T1110.003
- mitre_attack — T1041