Identity

Okta warns of vishing scheme that extorts data

Social engineering cyber threat — growing human hacking attack concept for security awareness article, card on black keyboard

Okta told its customers that since April 2026, a threat actor tracked as O-UNC-066 that operates the “Pink” data leak site, leveraged a vishing scheme deploying a phishing kit that targets the passkey enrollment process for Microsoft 365 in corporate settings.

According to Okta’s advisory, attackers impersonating corporate IT direct employees to a phishing kit that mimics the Microsoft passkey enrollment process.

The combination of the vishing call and the phishing kit convinces an employee they are in the process of enrolling a passkey with Microsoft, while the threat actor simultaneously registers their own passkey and takes over the targeted user’s Microsoft account.

Okta said it observed the targeting of enterprise organizations across many vertical sectors, including the food and beverage, technology, healthcare, automotive, construction, and aviation industries.

The primary motivation of the attackers: data extortion.

“Attackers impersonate IT support, convince users to approve Microsoft Authenticator prompts, reveal one-time codes or reset credentials, then immediately use those credentials to log into Microsoft 365 before the victim realizes what’s happened,” said Kevin Surace, chief executive officer at TokenCore. “This is no longer about hacking Microsoft. It’s about convincing a human to authenticate the attacker, which is why these attacks are so effective.”

Maggie McDaniel, global head of intelligence at iCounter, explained that what makes this campaign notable is what the social engineering actually targets: the attacker isn't just phishing a password, they're getting the victim to personally enroll a passkey the attacker controls, and that's a much harder foothold to remove than a stolen credential.

“Most account recovery playbooks assume you can reset a password and rotate a token and call it resolved,” said McDaniel. “They don't account for a victim having voluntarily authorized a second, attacker-owned device into their own identity. What also makes this campaign especially pernicious is that the security industry has spent so much time and effort convincing people and organizations to implement MFA that the threat actors are now, essentially, using those efforts against us.”

McDaniel added that the attacks across sectors such as automotive, aviation, construction, food and beverage, healthcare, technology, tells us this isn't a targeted intrusion: it's a repeatable social-engineering script being run at scale against whichever help desk or user will fall for it.

“Teams should treat any passkey enrollment request that originates from an inbound phone call as suspicious by default, and audit which passkeys are currently enrolled on privileged accounts rather than assuming MFA alone means the account is secure,” said McDaniel.

John Carberry, solution sleuth at Xcape Inc., said the targeting of Microsoft 365 tenants via cross-sector vishing campaigns shifts the primary identity risk from technical exploitation to human-in-the-middle manipulation.

Carberry said in this campaign, attackers bypass traditional MFA by social engineering users during live phone calls. The operators guide victims to malicious lookup sites that closely mirror legitimate Microsoft Entra ID interfaces, exploiting recent corporate passkey initiatives to trick users into authorizing rogue credentials.

To mitigate this exposure, Carberry said defenders must train users to recognize fake enrollment URLs, which often utilize lookalike domains incorporating the word passkey rather than the official corporate identity portal. Furthermore, Carberry said internal awareness programs must warn personnel to remain skeptical of unsolicited phone calls that demand sensitive security operations, such as registering authentication factors or confirming identity resets.

“SOC teams must pair this user training with technical constraints, restricting self-service passkey registration from unverified network locations and enforcing rigid out-of-band manager validation for credential updates,” said Carberry.

Here are three tips for security teams on how to respond:

  • Isolation: Restrict self-service passkey registration to known, compliant corporate networks to block remote registration from lookalike sites.
  • Education: Train employees to immediately reject and report unsolicited phone calls requesting sensitive security modifications.
  • Response: Configure explicit alerting within the SOC for anomalous passkey registration events, especially when followed by rapid changes to user profile authentication methods.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds