Since April 2026, O-UNC-066, also known as Pink, has used a panel-controlled phishing kit and vishing scheme to target Microsoft 365 passkey enrollment and trick users into authorizing a fraudulent passkey. Okta observed the activity across multiple industries, with the attackers primarily seeking data extortion, though the kit does not handle third-party federation and no direct Microsoft account compromise was observed. #O-UNC-066 #Pink #Microsoft365 #Okta
Keypoints
- O-UNC-066, also known as Pink, is behind the phishing campaign.
- The attack targets Microsoft 365 passkey enrollment through vishing.
- Domains containing βpasskeyβ are used to lure victims by phone.
- The phishing kit mimics Microsoftβs passkey enrollment flow.
- Okta saw the activity across several industries, with data extortion as the goal.