Cybercriminals have discovered a novel method to hijack enterprise Microsoft accounts by abusing Microsoft Entra passkey enrollment. This attack, first identified in April 2026, is orchestrated by a threat group known as O UNC 066 (also referred to as Pink by Palo Alto Networks Unit 42). The campaign leverages social engineering and custom phishing kits to circumvent traditional multi-factor authentication (MFA), putting Microsoft 365 environments at significant risk.
How the Microsoft Entra Passkey Enrollment Attack Unfolds
The focus of this attack is on the passkey feature within Microsoft Entra, which is designed to enable passwordless authentication for corporate accounts. Instead of directly stealing credentials, attackers manipulate users into helping them register attacker-controlled passkeys on legitimate enterprise accounts.
Step-by-Step Breakdown of the Attack
- Initial Contact: Attackers initiate the campaign by calling employees directly. The call is positioned as a routine security update, referencing Microsoft’s ongoing push for passwordless sign-in.
- Social Engineering: During the call, the employee is told their account needs a new passkey for enhanced security. Given Microsoft’s legitimate push for passwordless adoption, this request appears authentic and lowers suspicion.
- Phishing Landing Page: The victim is guided to a spoofed Microsoft Entra login page, crafted to closely resemble their organisation’s branding. The page is part of a custom phishing kit designed to capture authentication flows without arousing suspicion.
- Passkey Registration: The phishing site prompts the user to register a new passkey. Unbeknownst to the victim, the passkey is controlled by the attacker, effectively granting persistent access to the employee’s Microsoft account.
- Post-Compromise Actions: With an attacker-controlled passkey registered, the threat actor can access the account at will, bypassing traditional password and MFA controls.
This method is highly effective because it exploits the trust in new security features and the ongoing transition towards passwordless authentication. By co-opting the legitimate passkey enrolment process, attackers bypass even well-configured MFA in Microsoft 365 tenants.
Timeline and Campaign Scope
The campaign was first observed in April 2026, and intelligence suggests it remains ongoing. O UNC 066, also known as Pink, has targeted a range of organisations using Microsoft Entra and Microsoft 365. While exact victim numbers are unclear, the technique’s sophistication and social engineering component indicate a focused campaign that could scale rapidly if left unaddressed.
Key points in the timeline:
- April 2026: Initial reports of phone-based phishing tied to passkey enrolment emerge.
- Ongoing: Security researchers and incident response teams detect multiple variations of the attack, with phishing kits tailored to specific company branding.
- Current Status: The attack technique is publicly documented, but exploitation is still active, as not all organisations have hardened their Entra passkey and enrolment processes.
Researchers warn that the campaign leverages the momentum behind passwordless adoption, targeting organisations that may not have fully secured their passkey registration workflows.
Technical Details: Bypassing MFA and Gaining Persistence
The crux of this attack is the registration of a new passkey under the attacker’s control. Traditional MFA methods are rendered ineffective because the attacker uses the legitimate enrolment channel, assisted by the user themselves. Once the passkey is registered, it functions as a persistent authentication mechanism, enabling long-term account access without raising immediate alerts.
Products and versions affected include:
- Microsoft Entra (formerly Azure AD) passkey functionality
- Microsoft 365 accounts with passkey or FIDO2 security key enrolment enabled
Because the attack leverages social engineering rather than a specific software vulnerability, all Microsoft 365 and Entra tenants using passkey enrolment are potentially at risk if enrolment processes are not tightly controlled.
Indicators of Compromise
- Unexpected passkey registrations in audit logs
- Unusual enrolment requests or helpdesk tickets regarding passkeys
- Login activity from unfamiliar locations shortly after passkey registration events
Why This Matters for Microsoft 365 Tenants
This campaign highlights how attackers adapt quickly, turning new security features like passkeys into vectors for persistent account compromise. Because the attack bypasses traditional MFA, organisations relying solely on standard authentication hardening may find themselves exposed.
Immediate Actions for Organisations
- Review and restrict self-service passkey enrolment policies in Microsoft Entra.
- Enable Conditional Access policies to require strong user verification before passkey registration.
- Audit all recent passkey registrations for signs of unauthorised enrolment.
- Educate staff on the specific tactics used, emphasising that IT will never request passkey registration via phone or unsolicited email.
Staying vigilant and reviewing authentication workflows is essential to prevent attackers from abusing new security features.
Originally reported by cybersecuritynews.com.







