Criminals Are Calling Your Staff and Stealing Microsoft 365 Logins in Real Time
A hacking group is phoning employees, sending them to fake Microsoft login pages, and quietly locking themselves into corporate accounts before anyone notices. Okta has the details.

Key points
- A criminal group tracked by Okta as O-UNC-066, also known as Pink, has run a phone-based fraud campaign targeting Microsoft 365 accounts since at least April 2025.
- The group has hit organisations in automotive, aviation, construction, food and beverage, healthcare, and technology sectors.
- Attackers guide victims through a fake Microsoft login process in near-real time, watching each step and adapting what appears on screen.
- The goal is data extortion: steal files, then demand payment to keep them private.
- Victims receive a genuine Microsoft notification email after the attack, which is actually the clearest early warning sign.
A criminal group is cold-calling employees, pretending to help them set up a new security feature, and walking away with permanent access to their Microsoft 365 accounts. Okta, the identity security company, published details of the campaign this week.
The scam starts with a voice call. Vishing, short for voice phishing, is where a caller pretends to be from IT support, a vendor, or another trusted source to trick someone into handing over account details. Here, the caller tells the target they need to register a passkey, which is a newer, password-free way to log in to online accounts. That sounds routine enough.
How does the fake login page fool people?
The victim gets directed to a website that looks exactly like Microsoft's own login page, down to the correct branding and real images loaded from Microsoft's own servers. The page is built fresh for each target on the back end.
Here is where it gets clever, and nasty. Most phishing sites, where criminals build fake websites to steal passwords, just hoover up whatever you type and store it. This one does something different. A live operator sits on the other side of the panel, watching in real time. As the victim types their password, the criminal immediately types it into the real Microsoft website. They see what security check Microsoft then asks for, whether that is a text message code, an app notification, or a one-time code from an authenticator app, and then they update the fake page to ask the victim for the same thing.
The victim thinks they are enrolling a new passkey. They are actually handing the criminal a live session inside their account.
Once in, the criminal registers their own passkey on the victim's account. A passkey tied to the criminal's device. From that point, the criminal can log in any time they like, even after the victim changes their password.
Microsoft does send a genuine email confirming a new passkey was registered. That email is the canary. If any employee receives one they did not expect, that is the signal to call IT immediately and revoke access.
The group has also been using a distraction step involving recovery phrases borrowed from cryptocurrency wallet standards, probably to keep the victim occupied while the real account takeover completes in the background.
For ordinary employees, the practical advice is short: no IT team will call you out of the blue and ask you to log in to anything during the call. If that happens, hang up, call your own IT helpdesk on a number you look up yourself, and report it.
Operational takeaway: If your Microsoft tenant is not configured to alert security teams the moment a new passkey or authenticator is registered on any account, fix that before next Monday.



