A threat actor is using vishing and fake Microsoft Entra passkey enrollment requests to trick Microsoft 365 users into handing over credentials and MFA responses. Okta attributes the campaign to O-UNC-066, linked to the Pink extortion operation, which targets multiple industries and rapidly steals data from Microsoft services after account takeover. #MicrosoftEntra #Microsoft365 #O-UNC-066 #Pink #TheCom
Keypoints
- The attacker calls users and claims they must enroll a new Microsoft Entra passkey.
- Victims are sent to phishing sites that mimic the real Entra passkey enrollment portal.
- The kit is an operator-controlled PHP panel that adapts to different MFA methods in real time.
- Okta tracks the activity as O-UNC-066, linked to the Pink extortion operation.
- Pink targets multiple sectors and quickly exfiltrates data from SharePoint and OneDrive.