Extortion crew hijacks Microsoft 365 accounts with fake passkey scam

▼ Summary
– The Pink cyber extortion crew initiates attacks by vishing employees, impersonating IT to request a passkey setup for Microsoft 365 accounts.
– Targets are directed to a fake Microsoft Entra ID login page where they enter credentials, a second authentication factor, and set up a passkey.
– The phishing kit adapts to each victim’s MFA requirements and uses loading screens to delay the user while the attacker logs into their account.
– After gaining access, the attacker distracts the victim with a fake passkey recovery page using BIP-39 seed phrases, while enrolling their own passkey on the legitimate account.
– The campaign targets enterprises in multiple industries for data extortion, exfiltrating data from SharePoint and OneDrive, and is linked to The Com cybercriminal network.
A sophisticated social engineering campaign is actively targeting enterprise employees, using fake passkey enrollment requests to hijack Microsoft 365 accounts. The group behind this operation, known as the Pink cyber extortion crew, is leveraging the growing familiarity with passkey technology to bypass security protocols.
The attack begins with a vishing call where the impersonator, posing as IT support, claims it is time to set up a passkey. From that point, every step is meticulously staged to keep the victim engaged while the attacker executes the breach. The target is directed to a subdomain that closely resembles the Microsoft Entra ID login page, customized to appear as if it belongs to their employer.
Once there, the employee is instructed to log into their Microsoft 365 account, provide their second authentication factor, and complete the passkey setup. These interactions are managed through a panel-controlled phishing kit, which allows the attacker to tailor the authentication flow to each victim’s specific MFA requirements, whether that involves TOTP, push notifications with number matching, or SMS OTP.
Between phishing pages, the kit displays loading screens, buying the attacker time to use the captured credentials and authentication factors to log into the target’s real account. After gaining access, the victim sees a page asking them to set up a passkey. The next screen presents a Microsoft-branded prompt listing BIP-39 seed phrase words, borrowed from cryptocurrency wallets, and instructs the target to write them down. Finally, they are asked to enter one of these words to confirm their recovery key, after which a success message appears.
Researchers at Okta noted that BIP-39 seed phrases have no direct relevance to Microsoft Entra or its passkey registration process. An attacker who has already compromised an account can generate their own recovery codes without any input from the legitimate user. The researchers believe these passkey-themed pages are a deliberate distraction, keeping the victim occupied while the threat actor enrolls their own passkey in the real Microsoft account.
The choice of passkeys as a lure is strategic. Passkeys are inherently phishing-resistant and cryptographically tied to the issuing site, making them highly valuable to attackers. As of May 2026, Microsoft administrators can create passkey registration campaigns that nudge users to enroll at sign-in, and in some cases these nudges are enabled by default. With enrollment prompts now appearing organically in Entra ID tenants, employees are accustomed to seeing them, making this pretext nearly perfect.
Okta has observed this campaign targeting enterprises across multiple sectors, including food and beverage, technology, healthcare, automotive, construction, and aviation. The objective is data extortion. Palo Alto Networks researchers, who documented the same campaign in early June 2026, report that after gaining access, attackers exfiltrate data from platforms like SharePoint and OneDrive. They then use the compromised account to send the initial extortion email and internal Teams messages. This campaign has been linked to the Pink data extortion group, which is believed to be affiliated with The Com, a decentralized network of mostly young, English-speaking cybercriminals who coordinate across Discord, Telegram, and gaming platforms.
(Source: Help Net Security)




