Multiple reports describe a cyber extortion campaign in which attackers use vishing (voice phishing) to trick employees into enrolling a fake Microsoft Entra passkey. The process begins with a call to the target in which the attacker poses as IT personnel and claims it is time to set up a passkey. According to the accounts, the attacker then directs the victim to a specific web location associated with passkey enrollment, where the interaction is designed to appear legitimate. Okta identifies the activity as being carried out by a threat actor tracked as O-UNC-066, and one outlet links it to the “Pink” extortion crew. The described technique centers on manipulating the Entra passkey enrollment workflow so that the attacker can gain account access rather than solely stealing credentials. After the enrollment process is completed, the attacker is able to take over Microsoft 365 accounts. The Hacker News and Help Net Security both describe the campaign’s broader motivation as data extortion, with the aim of using access to the compromised accounts to pressure victims. The reports also note that the tooling supporting the scheme includes a passkey-focused phishing kit that is controlled via an attacker-controlled panel.