The Pink cyber extortion crew is tricking employees into giving them access to their Microsoft 365 accounts by faking Entra passkey enrollment requests.

The attack

The attack starts with a vishing call to an employee. The caller poses as IT and says it’s time to set up a passkey. Everything after that is theater, built to keep the victim occupied while the attacker finalizes everything.

The attackers instruct the target to visit a subdomain that mimics the Microsoft Entra ID login page, which has been customized to look like it belongs to the victim’s employer.

The target is instructed to log in to their Microsoft 365 account, enter their second authentication factor, and set up a passkey.

The specific pages with these input requests are served via a panel-controlled phishing kit, allowing the attackers to customize the authentication flow presented to the targeted users.

“The operator can use the kit to adapt the user experience to each victim’s MFA requirements (TOTP, push notification with number matching, SMS OTP) during the session,” the researchers noted.

The kit shows loading screens between the separate phishing pages, giving the attackers time to use the entered credentials and authentication factors to log in to the targets’ Microsoft 365 accounts.

Once access is achieved, they serve the targets with a page asking them to set up a passkey.

The next page shows a Microsoft-branded prompt with a list of BIP-39 seed phrase words (borrowed from cryptocurrency wallets), and tells the target to write them down:

Microsoft 365 passkey enrollment

The “Save your recovery key” phishing page (Source: Okta)

Finally, they are instructed to enter one of them to “confirm” their recovery key, and when they do, they are served a page that confirms that a passkey registration was successful.

“We are not aware of any direct applicability of BIP-39 seed phrases to Microsoft Entra or its passkey registration process. An attacker that has already gained unauthorized access to a user account can create their own recovery codes using a process that does not require any input from the real account holder,” Okta researchers noted.

“It is likely that these passkey-themed pages are available to the phishing kit operator as a sleight of hand. It is a distraction to keep a user occupied on a task while the threat actor enrolls their own passkey in the legitimate Microsoft user account.”

Why passkeys make such a good lure

Passkeys are a genuine security improvement: they are phishing-resistant and cryptographically bound to the site that issued them, which is exactly why an attacker would want to enroll one on a target’s account.

“As of May 2026, Microsoft administrators have been able to create passkey registration campaigns that remind or ‘nudge’ users to enrol in passkeys at sign-in, and in some circumstances these nudges are on by default,” Okta researchers explained.

With enrollment prompts now appearing unbidden in Entra ID tenants, and employees getting used to seeing them, they make the perfect pretext.

Okta has observed this campaign targeting enterprises in the food and beverage, technology, healthcare, automotive, construction, and aviation industries, and says that the goal is data extortion.

Palo Alto Networks researchers documented the same campaign in early June 2026. They say that the after gaining access to the victim’s account, the attackers exfiltrate data from platforms like SharePoint and OneDrive, then use the compromised account to send their initial extortion email and internal Teams messages.

They also tied this campaign to the Pink data extortion group/brand, which say is likely a threat actor affiliated with The Com, a decentralized network of mostly English-speaking and mostly young cybercriminals who organize across Discord, Telegram, and gaming platforms.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!

Leave a Reply