Enterprises relying on Microsoft 365 for email, collaboration, and sensitive data storage have a new account takeover threat on the horizon—one that cleverly subverts the latest passwordless security standard. Beginning in April 2026, the cyber extortion group tracked as Pink (O-UNC-066) will launch a voice-phishing (vishing) campaign designed to trick employees into enrolling attacker-owned passkeys, handing over persistent and nearly undetectable access to corporate accounts, according to a threat intelligence report reviewed by windowsnews.ai.

A Vishing Campaign With a Passkey Twist

The forthcoming attacks mark a dangerous evolution in social engineering tactics. Instead of stealing passwords or one-time codes, the Pink group will manipulate victims into adding a passkey controlled by the attacker. Passkeys, built on the FIDO2 standard, are widely considered phishing-resistant because they bind a cryptographic key to a specific device or platform. But by duping a user into enrolling the attacker's key, the security model falls apart.

According to the report, Pink operators will call targeted employees, posing as internal IT support. The caller claims an urgent security upgrade is needed or that the user’s account has been compromised. They then guide the victim through a series of steps—often directing them to a legitimate-looking page—that result in a new passkey being registered to the attacker's device. From that point, the threat actor can authenticate as the user without needing a password or additional factor.

The group, also tracked as O-UNC-066, is known for extortion. Once inside the account, they typically exfiltrate sensitive files, encrypt data, and demand a ransom under threat of public release. The passkey trick provides a stealthy, reliable backdoor that persists even if the victim later changes their password or reconfigures other authentication methods.

How the Attack Hijacks Microsoft 365 Accounts

The technical sequence is deceptively simple. Microsoft 365 allows users to manage their own authentication methods through the “Security info” portal. With the right permissions, a user can register a passkey—whether a platform authenticator on a mobile device, a FIDO2 security key, or a passing-through Windows Hello credential. The attacker, after establishing trust over the phone, walks the employee through visiting this portal and initiating passkey enrollment. In some cases, the caller may send a link that silently initiates the process.

Once the passkey is added, it becomes a fully trusted sign-in credential. Because passkeys are designed to be used across devices—for example, scanning a QR code from a mobile phone to sign in on a desktop—the attacker can use the newly enrolled key to access the victim’s Microsoft 365 account from anywhere. The sign-in appears legitimate: it originates from a trusted authentication method with no suspicious password failure or MFA prompt to alert the user.

The attack is particularly effective against enterprise environments where help desk calls are routine, and where Microsoft’s own messaging encourages users to go passwordless. “Your organization requires you to set up a more secure verification method” is a prompt that many employees have seen—and attackers exploit that familiarity.

Why This Matters for Your Organization

For IT administrators, this threat demands immediate attention. The passkey takeover bypasses traditional controls like password complexity, MFA, and even conditional access policies that don’t restrict the registration of new authentication methods. Once the attacker has a foothold, they can move laterally, access SharePoint and Teams data, and potentially compromise other integrated services.

Small and medium businesses are not immune; any organization with valuable data or the ability to pay a ransom is at risk. Even home users—though less likely to be directly targeted by a sophisticated extortion group—should understand the technique, as similar scams could trickle down to consumer-grade attacks.

From a compliance standpoint, the attack exposes a gap in many identity and access management (IAM) strategies. Regulatory frameworks that mandate strong authentication often assume that passkeys are inherently more secure, but they place too little emphasis on the enrollment process.

The Road to Passkey-Based Social Engineering

Passkeys emerged as the answer to password fatigue and phishing. Major platforms—Microsoft among the loudest—have pushed aggressively for adoption. Windows Hello, cross-device sign-in, and the ability to store passkeys on mobile authenticators have made the technology mainstream in enterprise environments. But every security improvement shifts the battlefield.

Attackers previously leaned on MFA fatigue—bombarding users with push notifications until one was accepted. Now, they’re weaponizing the enrollment ceremony itself. The underlying problem isn’t the technology; it’s the human verification step that can be socially engineered. If a user can be convinced to perform an action, even the strongest cryptographic guarantee becomes irrelevant.

Microsoft has introduced some safeguards, such as the ability to require a PIN or biometric check during passkey creation, but those depend on the device and the user’s awareness. There is currently no built-in mechanism in Azure AD to detect that a passkey was added under duress during a phone call. Security researchers have long warned that as passkeys become mandatory—for instance, for accessing sensitive government portals or payment systems—these enrollment-focused attacks would rise.

Fortifying Defenses: Steps to Take Now

With the campaign set to begin in April 2026, organizations have a window to implement protections. Here’s what administrators and security teams should prioritize.

For IT Administrators:

  • Restrict passkey enrollment: Use Azure AD Conditional Access to require that any change to authentication methods—including passkey registration—comes from a managed, compliant device or a trusted network location.
  • Review self-service settings: In the Azure portal, under “User feature settings,” disable the ability for users to manage their own security info entirely, or limit it to specific groups. Require admin approval for new passkey additions.
  • Alert on new authentication methods: Set up monitoring in Microsoft 365 Defender or Sentinel to trigger alerts when a new passkey or security key is registered, especially from atypical geographies or devices.
  • Strengthen enrollment verification: If your organization uses temporary access passes (TAP) for onboarding, consider extending such verification to any high-privilege passkey enrollment. A callback to a known number or a separate channel approval can block impersonation.
  • Deploy phishing-resistant MFA: Issue organization-managed FIDO2 hardware keys. Do not allow users to register personal devices as passkey providers unless strictly necessary, and even then, enforce attestation.
  • User training and simulations: Regularly test employees with simulated vishing calls. Train them to never engage with unexpected IT outreach. Emphasize: “We will never ask you to add a passkey over the phone.”
  • Establish an IT call-back policy: Encourage users to hang up and call a published internal number to verify any request. This simple step stops most impersonation attempts.

For End Users:

  • Be suspicious of any call that claims your account is at risk and needs immediate action.
  • Never follow instructions from an unsolicited caller to visit a website, install an app, or add a security token.
  • Contact your IT department directly using a known number or email—do not use caller ID information, which can be spoofed.
  • If something feels off, report it immediately.

Quick Comparison: Legitimate vs. Vishing Passkey Enrollment

Feature Legitimate Enrollment Vishing Attack
Initiation You decide, often prompted by official channel Caller initiates, creates urgency
Method Follow internal docs or IT-guided session Caller gives step-by-step through unknown pages
Communication Through known internal channels (Teams, verified email) Unsolicited phone call
Verification IT may send a verify code through official app Only verbal assurance
Outcome Your device gains a passkey Attacker’s device gains a passkey

Looking Ahead: The Next Wave of Identity Threats

The Pink group’s campaign signals a turning point. As passkeys become ubiquitous—Apple, Google, and Microsoft are all pushing the standard—enrollment-based attacks will likely increase. Service providers will need to build more friction into the registration process, possibly requiring multi-party approval or biometric proof of presence. Regulatory bodies may soon demand that high-assurance passkey enrollments be treated with the same rigor as in-person identity verification.

For now, the most effective defense remains a combination of technical restrictions and human vigilance. Organizations that act early to lock down the passkey enrollment flow will be well positioned before the wave hits in April 2026. This isn’t about abandoning passwordless technology; it’s about recognizing that even the strongest lock can be compromised if you hand over the key.