A vishing campaign that preys on Microsoft 365 users—persuading them by phone to enroll attacker-controlled passkeys—has been active since early 2025, security firm Okta warned on Wednesday. The threat cluster, which Okta tracks as O-UNC-066 and Palo Alto Networks Unit 42 calls Pink, has adapted a years‑old social‑engineering playbook to exploit a weakness in passwordless authentication: the human element during enrollment. Once a rogue passkey is added, the attacker gains persistent, password‑free access to the victim’s account, often without triggering typical security alarms.

Inside the Attack: How a Phone Call Becomes a Permanent Backdoor

The operation combines vishing—voice phishing—with the passkey registration process built into Microsoft Entra ID. It starts when an attacker, posing as the target’s corporate IT help desk, calls an employee. Using information gleaned from LinkedIn, company directories, or previous data leaks, the caller sounds credible. They might reference a recent support ticket or warn of a security incident that requires immediate action.

Often the attackers already possess the user’s password, stolen through a prior phishing email or credential dump, but are stopped by multi‑factor authentication. The voice call is designed to overcome that final barrier. During the conversation, the attacker instructs the employee to visit a legitimate Microsoft page—typically the Security Info portal at https://mysignins.microsoft.com/security-info—and add a new sign‑in method: a passkey.

Because the user is already logged in, the enrollment flow does not, in many default configurations, demand an additional MFA challenge. The caller may coach the victim through creating a passkey, or in some variations, manipulate the process to complete the enrollment on an attacker‑owned device. Okta notes that Temporary Access Pass (TAP), a feature intended for secure onboarding, can also be phished over the phone and abused to register a passkey.

Once the rogue credential is bound to the account, the attacker can sign in from anywhere, on any device, without ever needing the user’s password again. The login appears legitimate because passkey authentication is inherently trusted, and many organizations do not closely monitor passkey additions.

What the Okta and Unit 42 Data Tells Us

Okta’s threat research team first spotted the activity in customer telemetry. O-UNC-066, also known to Palo Alto Networks Unit 42 as Pink, has historically targeted VPN credentials and traditional MFA prompts, but pivoted to passkeys as enterprises moved to passwordless. The group is a financially motivated actor that often uses help‑desk‑themed social engineering, and it has been refining its lures since at least April 2025.

The current campaign appears to focus on North American and European organizations in technology, finance, and healthcare—sectors that have aggressively adopted Microsoft Entra ID and passkey policies. Okta has not disclosed a victim count but described the operation as widespread. Crucially, the attack does not exploit a flaw in the FIDO2 standard; passkeys remain phishing‑resistant during authentication. The weakness lies in the registration ceremony: if an attacker hijacks an authenticated session and tricks the user, the new passkey becomes a trusted credential.

What This Means for You

The practical impact depends on whether you are an individual user or an IT administrator managing a Microsoft 365 environment.

For Personal Microsoft Accounts

If you use a personal Microsoft account (Outlook, Xbox, etc.) with a passkey, you are a less likely target for this exact campaign, but the principles of self‑defense still apply.
• Never add a sign‑in method at someone else’s request over the phone. If you receive an unsolicited call about your account, hang up and contact the company through official support channels.
• Periodically review your sign‑in methods at https://account.microsoft.com/security. Remove any passkeys or two‑step verification options you do not recognize.
• Enable notification alerts for account changes. Microsoft typically sends an email when a new passkey is added, but these can be missed.

For Business and IT Administrators

This is an enterprise‑grade threat that demands immediate action. The attackers are systematically targeting employees who have access to sensitive data, financial systems, or administrative privileges. Because Microsoft Entra ID does not, by default, require an extra MFA challenge when adding a new authentication method to an already authenticated session, a vishing call can quickly compromise an account.

Here are the essential steps every Entra ID admin should take right now.

Immediate Actions (Within 24 Hours)

  1. Enable MFA for security‑info registration. In the Entra admin center, go to Protection > Authentication methods > Settings and turn on “Require multifactor authentication to register or join devices with Azure AD” and the option to require MFA for self‑service password reset and security info registration.
  2. Alert all employees. Send a company‑wide message: no one from IT will ever call and ask them to add a passkey, handle a TAP, or read a code. Report any such call immediately.
  3. Hunt for rogue passkeys. Use the Microsoft Graph API or PowerShell to list all FIDO2 keys. Flag entries created in the last 90 days, especially if the device OS or browser metadata looks suspicious (e.g., an unfamiliar user agent).

Short‑Term Hardening (This Week)

Build a Conditional Access policy for registration. Block security‑info registration from non‑corporate networks or unmanaged devices unless the user has completed a strong secondary authentication, such as a Temporary Access Pass combined with a hardware token.
Audit all TAP issuance. Check the Entra ID sign‑in logs for any TAP usage that does not align with your normal help‑desk processes. If TAPs are being generated without a ticket, investigate.
Turn on risk‑based policies (requires Microsoft Entra ID P2). Enable user‑risk and sign‑in risk policies that automatically block high‑risk sign‑ins and force password changes for compromised accounts.

Longer‑Term Improvements

Move toward device‑bound passkeys. Passkeys stored on a YubiKey or in a computer’s TPM are harder to export than synced passkeys. While not a complete defense against this vishing technique, they add a meaningful obstacle.
Implement continuous access evaluation. Shorten session lifetimes and require re‑authentication for sensitive operations, such as security‑info changes.
Stay current with threat intelligence. Okta and Unit 42 will likely release indicators of compromise (IOCs). Ingest those feeds into your SIEM to detect similar activity.

How We Got Here: The Rise of Vishing Meets the Passwordless Era

Phone‑based scams are nothing new, but vishing escalated sharply during the pandemic as remote work expanded the enterprise attack surface. Groups like Lapsus$ and Scattered Spider famously used vishing—paired with SIM swapping and MFA fatigue—to hijack high‑profile accounts. The security industry’s response was a strong push toward phishing‑resistant MFA, most notably FIDO2 passkeys, which are supported across Windows, macOS, iOS, and Android.

Passkeys eliminate shared secrets and are bound to a device, meaning they cannot be phished in the traditional sense. During authentication, the browser verifies the domain, preventing relay attacks. Security experts, however, have cautioned since the early days of FIDO that the enrollment process remains a weak link. If a malicious actor can inject a passkey during registration, they gain all its trust benefits.

Microsoft has provided controls to address this gap. The “security info registration” policy that mandates MFA re‑authentication when adding new methods has existed for years, but it is not enabled by default. Temporary Access Pass was designed to be a time‑limited, phishing‑resistant onboarding method—yet it can be phished itself if a victim recites the one‑time code over the phone.

Okta’s disclosure is therefore less a revelation of a new vulnerability and more a demonstration of an attacker successfully weaponizing known configuration weaknesses. It mirrors earlier techniques used against Google accounts, where cookie‑theft malware was used to hijack sessions and register new passkeys. The vishing angle simply lowers the technical barrier and scales the attack.

The Outlook: Where This Attack Is Headed

Passwordless authentication will continue to grow, and criminals will adapt. Microsoft will likely refine its default policies or add more native friction to high‑risk actions in Entra ID, but such changes rarely happen overnight. Okta warns that O-UNC-066 is actively iterating on its scripts and lures. The group’s move from MFA bombing to passkey manipulation is a clear signal that a layered defense—not just a single “un‑phishable” technology—is essential.

For the Windows and Microsoft 365 community, the takeaway is straightforward: turn on that extra MFA check for account changes, and treat any unsolicited call about passkeys as a red flag. The tools to stop this exist; the only missing piece has been the urgency to deploy them. That urgency has now arrived.