What Happened
Okta and BleepingComputer reported on July 8, 2026 that a threat actor tracked as O-UNC-066 — also known as “Pink” by Palo Alto Networks Unit 42 — has been running an active voice phishing campaign against Microsoft 365 organisations since April 2026. Attackers call targeted employees, impersonate internal IT security staff, and claim a new Microsoft Entra passkey must be enrolled for security reasons. They direct the victim to a malicious URL containing the word “passkey” in the domain name, which renders a convincing fake version of the Entra passkey enrollment portal, including the victim organisation’s own branding.
The phishing kit is operator-controlled in real time via a PHP panel. The attacker adapts the flow live based on which MFA method the victim uses, guiding them through the fake enrollment process until the attacker’s authenticator device is registered as a trusted passkey on the victim’s account. Once registered, the attacker has persistent, phishing-resistant access to the account — the kind of access a real passkey is designed to provide to legitimate users.
Okta confirmed the campaign has targeted organisations in food and beverage, technology, healthcare, automotive, construction, and aviation sectors. On May 31, the group launched an extortion site where they publish samples of stolen data to pressure victims.
Why This Matters for Canadian Organizations
Microsoft 365 is the dominant productivity platform across Canadian enterprise, government, and post-secondary sectors. This campaign is notable because it attacks the enrollment process itself — not the authentication step. A well-trained employee who knows to reject MFA fatigue attacks or fake login pages has no direct technical defence against a phone call instructing them to enroll a passkey through what appears to be a legitimate portal. The targeted sectors align closely with major Canadian M365 user groups, and the aviation sector in particular is represented at Canadian airports, airlines, and transport authorities.
Under PIPEDA, obtaining unauthorized access to an M365 account containing personal information triggers a breach assessment and potential reporting obligation. For organizations under OSFI Guideline B-13, compromise of an identity and access management credential — particularly one with passkey-level persistence — represents a material control failure. The campaign’s extortion component introduces reputational and financial risk beyond the initial access event.
What to Do
Establish a clear process for verifying the identity of helpdesk staff contacting employees about security changes. Employees should never enroll a new authentication factor during an inbound phone call — all passkey or MFA enrollment changes should be initiated through a known and verified internal portal, not a URL provided by the caller. Review Entra ID authentication method registration logs for unexpected passkey enrollments, particularly since April 2026. Set Conditional Access policies to flag or block new passkey registrations from unfamiliar locations or devices. Train employees specifically on the passkey enrollment vishing technique, as standard MFA phishing awareness programs do not address this attack vector.
Source: BleepingComputer | Okta Threat Intelligence






