TempMail Ninja
//

Passkey Enrollment Exploited: New Pink Vishing Campaign Targets Entra Users

8 min read
TempMail Ninja
Passkey Enrollment Exploited: New Pink Vishing Campaign Targets Entra Users

In the ongoing arms race of enterprise cybersecurity, the transition to passwordless authentication has long been heralded as the ultimate defense against credential-based compromises. However, a highly sophisticated threat campaign active since April 2026 demonstrates that even the most robust cryptographic safeguards can be undone by human engineering. Security researchers have uncovered an aggressive voice phishing (vishing) operation that systematically hijacks the corporate passkey enrollment process. Tracked by Okta threat intelligence as O-UNC-066 and by Palo Alto Networks Unit 42 under the extortion brand “Pink” (also designated CL-CRI-1147), these cybercriminals are executing precise account takeovers against enterprise Microsoft 365 environments. By exploiting the exact mechanisms designed to eliminate passwords, the threat group has turned a crucial security upgrade into an ideal vector for lateral access, cloud data exfiltration, and multi-million-dollar data extortion campaigns.

The Paradox of Progress: Weaponizing Security Upgrades

To understand the potency of the O-UNC-066 campaign, one must look at the psychological blind spot created by modern security initiatives. In May 2026, Microsoft introduced “passkey registration campaigns,” allowing administrators to run proactive, native prompts to “nudge” users to enroll FIDO2 passkeys at sign-in. While this initiative aimed to accelerate the transition to phishing-resistant multi-factor authentication (MFA), it unintentionally established a highly plausible pretext for social engineers.

Because enterprise employees are actively being conditioned by their internal IT and security departments to expect announcements and prompts regarding passwordless transitions, a cold call from an “IT administrator” instructing them to complete a mandatory security upgrade feels entirely legitimate. The Pink extortion group exploits this exact transition window. They replace the native, secure passkey enrollment dialog with a carefully choreographed theater of deception, ensuring that the victim remains compliant while their digital identity is permanently bound to an attacker-controlled cryptographic key.

Threat Actor Taxonomy: Who is the “Pink” Extortion Group?

According to threat intelligence analysts at Unit 42 and SOCRadar, the Pink extortion group (CL-CRI-1147) is not a novice operation. The group is heavily assessed to be an affiliate of “The Com”—a notorious, decentralized cybercriminal collective known for high-profile vishing campaigns, cloud infrastructure takeovers, and aggressive extortion tactics. Pink exhibits significant technical and tactical overlaps with established syndicates such as Bling Libra (better known as ShinyHunters) and CL-CRI-1116 (historically tracked as Blackfile or Redact).

Unlike traditional ransomware groups that rely on deploying complex, system-wide encryption payloads (such as Locker locker software) which often trigger immediate endpoint detection and response (EDR) alerts, Pink operates a stealthier, credential-driven model. Their operations are characterized as “Big Game Hunting,” targeting high-value enterprise entities across six major industrial verticals:

  • Food and Beverage: Infiltrating supply chains and logistics networks.
  • Technology: Compromising software and service providers to leverage downstream relationships.
  • Healthcare: Accessing sensitive medical networks and patient data repositories.
  • Automotive: Targeting proprietary designs and assembly logistics.
  • Construction: Gaining access to structural layouts, bid documents, and contractor data.
  • Aviation: Breaching high-value transportation and aerospace ecosystems.

Pink’s monetization strategy centers entirely on double extortion. Their dedicated dark-web leak site, which went live on May 31, 2026, has quickly accumulated listings of high-profile corporate victims. If negotiations fail, the group systematically leaks exfiltrated files, applying intense pressure on victims under a strict 72-hour payment window.

Inside the Operator-Controlled Passkey Enrollment Phishing Kit

The O-UNC-066 campaign stands apart from generic phishing operations due to its infrastructure and real-time execution. Historically, credential harvesting has relied on static clone pages or automated Adversary-in-the-Middle (AitM) reverse proxies (such as Evilginx), which automatically forward session cookies. The kit deployed by the Pink group, however, is a custom, operator-controlled PHP panel designed to guide the victim manually through the authentication sequence.

The underlying architecture utilizes a 1-second heartbeat polling mechanism. This active connection allows a live threat operator sitting behind a backend panel to monitor the victim’s interactions in real-time. Rather than hoping an automated system handles the security challenges, the human operator dynamically pushes new login screens, error messages, and MFA challenges to the victim’s browser based on the exact status of the real-time session they are running simultaneously against the legitimate Microsoft Entra ID portal.

Infrastructure and Evasion Tactics

To establish trust and evade traditional web gateway filters, the group registers strategic domains containing terms associated with identity management. This infrastructure is primarily hosted on bulletproof networks and DDoS-mitigation networks like DDoS-Guard (AS57724) and IQWeb FZ-LLC (AS59692). Known domains associated with this campaign include:

  • passkeyadd[.]com
  • passkeydeploy[.]com
  • deploypasskey[.]com
  • assignpasskey[.]com
  • setpasskey[.]com

The phishing kit serves subdomains pre-staged with the target organization’s authentic branding. While generic elements of the page (such as CSS styling and background resources) are fetched dynamically from Microsoft’s public Content Delivery Network (CDN) to ensure a perfect match, victim-specific logos and corporate backgrounds are hosted on the phishing backend. Additionally, the kit is engineered with strict sandbox-evasion and anti-analysis filters, blocking requests from security crawlers, automated scanners, and security researchers, thereby prolonging the lifespan of each malicious URL.

The Execution Chain: From Vishing Call to Permanent Backdoor

The complete attack path deployed by O-UNC-066 is a masterclass in social engineering and tactical timing. By coordinating a phone call with a dynamic web interface, the attacker effectively isolates the victim, steering them through a multi-stage compromise.

  1. The Vishing Lure: A live operator contacts the targeted employee over the phone, posing as a member of the corporate IT helpdesk. They inform the employee that they must immediately enroll in the company’s new, secure passkey system to comply with a corporate security mandate. The caller directs the victim to a customized URL, such as [victim-company].assignpasskey[.]com.
  2. Dynamic Credential Harvesting: The victim is presented with a pixel-perfect imitation of their company’s Microsoft Entra ID login portal. As the victim enters their username and password, the operator’s panel captures the credentials. The operator immediately replays these credentials into the legitimate Microsoft sign-in interface within seconds.
  3. Adaptive Multi-Factor Bypass: If the victim’s account is protected by MFA, the real Microsoft portal will issue a challenge (e.g., an SMS OTP, a TOTP authenticator code, or a push notification with number matching). The operator views this challenge on the legitimate sign-in screen and uses the PHP panel to dynamically push a matching challenge screen to the victim’s browser. Instructed by the caller on the phone, the victim enters the code or approves the push prompt, completing the legitimate authentication flow for the attacker.
  4. Malicious Passkey Binding: Once inside the victim’s active Microsoft session, the attacker does not simply steal a session cookie. Instead, they navigate directly to the security information settings of the victim’s Entra ID profile to register a new cryptographic credential. The attacker triggers the registration process and registers *their own* FIDO2 passkey (using a physical security key or device under the attacker’s control) to the victim’s identity. This creates a permanent, highly resilient backdoor that bypasses standard password resets and is recognized by Entra ID as a trusted, phishing-resistant sign-in method.

The BIP-39 Cryptographic Seed Phrase Distraction

A primary challenge for the attackers during this flow is keeping the victim engaged and on the phone while the operator navigates Microsoft’s backend to complete the passkey binding. To resolve this, the Pink phishing kit features a brilliant, albeit fraudulent, distraction phase.

While the attacker is actively registering their passkey, the phishing site displays a highly technical “Save your recovery key” prompt. The page presents the victim with a generated list of 12 or 24 BIP-39 seed phrases (mnemonic words standard in cryptocurrency wallets but entirely irrelevant to enterprise Microsoft Entra ID environments). The caller instructs the victim to carefully write these words down on a piece of paper and then verify the seed phrase by typing a specific word back into the portal.

This elaborate step serves three critical security-evasion functions:

  • Employee Distraction: It keeps the victim occupied and physically focused on writing down words, preventing them from asking questions or hanging up while the operator completes the backend configuration.
  • Suppression of Suspicious Alerts: When a new security key is registered to a Microsoft Entra ID account, the system automatically dispatches a legitimate email notification to the user. Because the victim is engrossed in the “mandatory setup” and has just written down a complex “recovery key,” they are highly likely to perceive any registration confirmation email as a normal byproduct of the process they just completed.
  • Simulated Authenticity: The cryptographic nature of BIP-39 phrases adds an artificial layer of sophistication, making the “security upgrade” feel deeply secure and rigorous to a non-technical employee.

Defensive Strategies and Mitigation for Enterprise Administrators

The O-UNC-066 campaign highlights a fundamental truth in modern defense: even phishing-resistant mechanisms like passkeys can be subverted if the enrollment process is left unsecured. To defend against this sophisticated vishing threat, administrators must implement multi-layered administrative, technical, and logging safeguards.

1. Restricting Registration Context with Conditional Access

The most effective technical control to block malicious passkey enrollment is restricting where and how new authentication methods can be registered. Organizations should not allow users to register security keys or passkeys from any location or unmanaged device. Administrators should configure Microsoft Entra Conditional Access policies to enforce the following rules:

  • Trusted Locations Only: Restrict the registration of security information (including FIDO2 passkeys) to trusted, corporate-defined IP ranges or networks.
  • Device Compliance: Require that any enrollment of new authentication methods must occur from a compliant, corporate-managed device (joined to Microsoft Intune or Hybrid Entra ID).
  • Temporary Access Passes (TAP): For users who must register a passkey outside of standard contexts, mandate the use of a high-entropy, short-lived Temporary Access Pass issued directly by a verified administrator through an out-of-band, authenticated channel.

2. Robust Authentication Log Auditing

Security Operations Center (SOC) teams must actively monitor Entra ID logs for anomalies during authentication registration. Key indicators of compromise (IoCs) in the audit logs include:

  • Impossible Travel: A user session authenticates from their typical local IP address, but a FIDO2 passkey registration event is completed from an unexpected cloud provider range (such as DDoS-Guard or residential proxy networks) shortly after.
  • Unexpected Registration Events: Correlate the Microsoft Entra ID audit log event "Update user" where the target property modified is "StrongAuthenticationPhoneAppDetail" or "StrongAuthenticationMethod" (specifically FIDO2 security keys) against scheduled, verified IT enrollment programs.
  • Immediate Cloud Pivot: A registration event immediately followed by intensive, high-volume directory searches or massive data downloads from SharePoint Online or OneDrive.

3. Cultivating a Verification-First Culture

While technical controls are paramount, user awareness must evolve. Traditional phishing training often focuses on identifying suspicious emails. Organizations must update their vishing playbooks to emphasize that corporate IT will never call an employee out of the blue to walk them through a security configuration, nor will they direct them to external, third-party domains to input credentials. If an employee receives such a call, they must immediately hang up and independently verify the technician’s identity via authenticated internal channels, such as an official corporate messaging platform or the verified IT service desk hotline.

TN

Written by

TempMail Ninja

Digital privacy and online security expert. Passionate about creating tools that protect users' identity on the internet.