Powered by MOMENTUMMEDIA
For breaking news and daily updates, subscribe to our newsletter

Hackers targeting Microsoft 365 in widespread vishing campaign, Okta warns

Entra passkey enrolment targeted in widespread voice-phishing campaign active since at least April 2026.

Mon, 13 Jul 2026
Hackers targeting Microsoft 365 in widespread vishing campaign, Okta warns

A cyber extortion group calling itself Pink has been observed targeting Microsoft 365’s passkey enrolment process in order to gain access to victim networks.

According to access management and security firm Okta, the hackers are using a panel-controlled phishing kit capable of impersonating a victim organisation’s Microsoft Entra ID login pages in real time.

“The threat actor registers domains that incorporate the word passkey as part of a voice-enabled phishing (‘vishing’) scheme. The threat actor then calls targeted users on the phone in an attempt to persuade them that they need to register a new passkey,” Okta said in a recent blog post.

 
 

“Users are directed to a phishing kit that closely mimics the Microsoft passkey enrollment process. It appears engineered to convince a targeted user they are in the process of enrolling a passkey with Microsoft, while the threat actor simultaneously registers their own passkey in the targeted user’s Microsoft account.”

What makes the process even more likely to succeed is that it not only mimics a legitimate-seeming environment – complete with Microsoft branding and that of the organisation being targeted – but it’s not unlike Microsoft’s own recent passkey registration activities, which began reminding users in May to enrol passkeys at sign-in.

“Threat actors have used this well-intentioned security upgrade as a pretext for abusing the enrollment process to further their objectives,” Okta said.

As to what those objectives are, the hackers themselves outline their motives on their darknet leak site.

“We are a financially motivated group. Security, as you are undoubtedly aware, is an expensive undertaking, particularly when it has been neglected for some time,” Pink said.

“Our only goal is profit, and that is our only motivation. We know what your data is worth, and we expect to get our value out of it.”

Okta has observed the hackers using several domains to create their targeted subdomains, including:

  • assignpasskey[.]com (2026-06-14, Internet Domain Service BS Corp., DDoS-Guard)
  • deploypasskey[.]com (2026-04-21, Tucows, DDoS-Guard)
  • passkeydeploy[.]com (2026-04-23, Internet Domain Service BS Corp, DDoS-Guard)
  • passkeyadd[.]com (2026-05-08, Tucows, DDoS-Guard)
  • setpasskey[.]com (2026-05-23, IQWeb FZ-LLC)

So if a victim were named “ExampleEntity”, the malicious subdomain would read “exampleentity[.]setpasskey[.]com”. In addition, the sectors being targeted are in the food and beverage, technology, healthcare, automotive, construction, and aviation industries, Okta said.

You can learn more about the campaign and recommendations to defend against it here.

Cyber DailyWant to see more stories from trusted news sources?
Make Cyber Daily a preferred news source on Google.
Tags:

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.