Fake 'security upgrade' phone calls trick Microsoft 365 users into handing over their accounts

A criminal crew called Pink is calling staff, walking them through a fake Microsoft passkey setup, and quietly registering a login key of its own.

ThreatVectr Newsdesk· 4 min read
Photoreal news-editorial shot of an anonymous desk phone ringing next to a laptop showing a generic blurred corporate login screen, warm office lighting, shallo
Share

Key points

  • A criminal group tracked as Pink has been phoning Microsoft 365 users since April 2025 and tricking them into registering a passkey the attackers control.
  • Okta researchers, who track the group as O-UNC-066, say victims span food and drink, technology, healthcare, automotive, construction and aviation.
  • The gang launched a data leak site on May 31, 2025, publishing samples of stolen files to pressure victims into paying.
  • The fake enrollment pages ask users to save a BIP-39 recovery phrase, something Microsoft's real passkey process never uses.
  • After breaking in, Pink moves fast to steal files from SharePoint and OneDrive.

A criminal crew calling itself Pink is phoning office workers, pretending to be from IT, and walking them through what looks like a routine security upgrade for their Microsoft 365 account.

It is not an upgrade. By the end of the call, the attackers have registered a passkey, a small login credential stored on a device, on the victim's account. The passkey belongs to the criminals. They now own the login.

The campaign has been running since April, according to identity company Okta, which tracks the group as O-UNC-066. Palo Alto Networks Unit 42 links Pink to a wider criminal network known as The Com. First reported by BleepingComputer, the operation targets staff at organisations in food and drink, technology, healthcare, automotive, construction and aviation.

How does the scam actually work?

It starts with a phone call. The caller claims to be from the company's IT or security team and says the employee needs to enrol a new Microsoft Entra passkey for safety reasons. Entra is Microsoft's identity system, the thing that decides who is allowed to log in.

The victim is sent to a website with the word "passkey" in its address. The site carries the employer's logo and looks like Microsoft's real enrollment page. It is a fake.

Behind the scenes, a human attacker is watching. Okta describes the setup as "an operator-controlled PHP panel" that checks in every second, letting the criminal steer the victim in real time. If the victim gets a text code, the panel asks for it. If they get a push notification with a number, the panel asks for that too. Whatever the victim types is forwarded to the attacker, who uses it to log in for real.

Once inside, the fake site shows a Microsoft-branded page asking the victim to save a 12-word recovery phrase and confirm one of the words. This is a red flag hiding in plain sight. Microsoft's real passkey setup does not use recovery phrases. Okta says the step is likely there to keep the victim busy while the attacker registers their own passkey on the account.

Why passkeys, and why now?

Passkeys are meant to be safer than passwords. They live on a device and cannot be phished in the usual way. Microsoft made it easier for admins to push staff towards passkeys in May, when it opened up "passkey registration campaigns" for administrators. Pink is riding that wave. Staff have been told to expect passkey prompts, so a call about one feels normal.

What happens after they get in?

Speed. Okta says Pink moves quickly to pull files out of SharePoint and OneDrive, the two places most companies keep their documents. The gang then posts samples on a leak site it launched on May 31 and demands payment to stop the rest going public. Okta did not publish specific ransom figures. It is not clear which victims, if any, have paid.

What should ordinary staff do?

If someone rings and tells you to set up a passkey right now, hang up and call your own IT helpdesk on a number you already trust. Real IT teams will wait. And if a Microsoft page asks you to write down a recovery phrase, stop. That is not part of the real process.

Okta recommends companies tighten how they verify helpdesk callers and block login attempts from countries where the business does not operate.

© 2026 Threat Vectr