CyberDefenseMagazine

The Threat Mechanism and Mitigation of Pink Vishing Campaigns


Pink Exploits Microsoft Entra Passkey

The Pink data extortion group (tracked as O-UNC-066 through Okta or CL-CRI-1147 as called by Palo Alto Unit 42) has scaled up a highly sophisticated voice phishing (“vishing”) campaign that directly targets corporate employees utilizing Microsoft 365 and Entra ID environments. Active since April 2026, with a massive surge in operations documented throughout July 2026, this cluster of threat actors heavily targets critical enterprise sectors, including healthcare, technology, aviation, automotive, construction, and the food and beverage industries. The group exploits a lack of user familiarity with cryptographic passkeys by perfectly timing their social engineering lures with Microsoft’s May 2026 rollout of automated passkey registration “nudges”. By impersonating internal IT helpdesk personnel over the phone, Pink operators guide employees to realistic, employer-branded lookalike subdomains. The hackers can simultaneously connect into the legitimate account in almost real time by using a powerful, operator-controlled backend panel to intercept login credentials and dynamically modify the phishing interface to match the user’s specific multi-factor authentication (MFA) criteria.

How the Attack Works and How Organizations Can Defend Against It

IT administrators, security operations center (SOC) teams, and other business staff must stay painfully aware of the strategies utilized to perform this attack in order to properly identify and defuse a Pink infiltration attempt. During an active attack in July 2026, the phishing kit will display a highly realistic Microsoft-branded recovery page presenting a list of BIP-39 seed phrases (the 12-to-24 random words traditionally used to secure cryptocurrency wallets), instructing the employee to write them down for “identity backup”. Because BIP-39 seed phrases have zero technical applicability or integration within Microsoft Entra ID, encountering a crypto-style recovery block during a corporate login is a definitive indicator of an active compromise. The threat actor uses this artificial barrier as a distraction to keep the user occupied while they quietly register their own permanent, phishing-resistant passkey onto the user’s real profile, subsequently using that persistent access to exfiltrate massive amounts of sensitive data from SharePoint and OneDrive. Organizations can mitigate and resolve this vulnerability by implementing strict conditional access policies that restrict passkey registration exclusively to known corporate IP ranges, monitoring logs for newly bound passkeys given benign names, and establishing out-of-band verification protocols to ensure users immediately hang up on unsolicited IT compliance calls.

Author Notes

 “Vishing actors target Entra passkey enrollment,” Okta Threat Intelligence, July 5, 2026.

About the Author

Carmen Estela is a Cybersecurity Research Analyst at Cyber Defense Magazine and a Women in Cybersecurity Award Candidate. She recently graduated with a Master’s of Science degree from the University of Central Florida and holds a Bachelor’s degree in Criminology from the University of Florida with certifications in Data Analytics and AI Fundamentals. She frequently speaks and volunteers at well-known industry gatherings, such as BSides Orlando and BSides Jax, where she offers her perspectives on emerging cyber trends. Carmen is committed to advancing the standards of governance, risk, and compliance within cybersecurity. She has also served as an adult protective investigator, police dispatcher, and legal intern, applying investigative skills across law enforcement, academic, and public service settings. 

Reach her online at [email protected].



Source link