ProBackend
collaboration vishing impersonation
2 hours ago5 min read

Deceptive Voices: Extortion Gangs Pivot to Real-Time Passkey Vishing

A new extortion operation, Pink, is targeting multi-sector organizations by vishing users to register attacker-controlled Microsoft Entra passkeys. This article breaks down the operator-controlled phishing technique, the data exfiltration goal, and mitigation strategies.

A New Vishing Playbook

The latest threats aren't complex exploits hitting unpatched servers; they're human-centric, voice-driven, and alarmingly effective. We're seeing a trend where attackers impersonate IT helpdesk teams to guide employees into registering attacker-controlled passkeys. This isn't theoretical—it's hitting organizations across healthcare, technology, and beyond right now.

The group behind this, tracked as Pink or O-UNC-066 (part of 'The Com' network), isn't wasting time. They have their eyes on Microsoft 365 environments, and their method is a clever twist on how we authenticate.

The 'Passkey' Ruse

The attacker's approach starts with a classic vishing hook. They call an unsuspecting employee, impersonating internal security or IT personnel, and demand a "mandatory update" to their security—specifically, the registration of a new Entra passkey. It sounds plausible, especially with modern shifts toward passwordless authentication.

Once the victim feels the urgency, the attacker directs them to a phishing domain designed to look like a legitimate Microsoft Entra portal. The URLs themselves often feature the word 'passkey' to lull the user into a false sense of security.

Here's where it gets interesting—and dangerous—for the defender: this isn't just a basic proxy-based phishing kit. It's an operator-controlled PHP panel.

The attacker is on the other end, in real-time, steering the victim. They use a 1-second heartbeat polling mechanism to monitor the victim's progress on the fake site. If the victim triggers a multi-factor authentication (MFA) challenge—whether it's a push notification, a code, or SMS—the attacker sees it immediately within their panel and prompts the user accordingly. They guide the victim through these hurdles until the passkey is registered under the attacker's control, not the user's.

Why This Attacks Our Trust in Passkeys

Passkeys were meant to be the death of the phishing victim. By using FIDO2-based hardware-bound credentials, they eliminate the need for cumbersome passwords and traditional MFA codes. In theory, they are immune to AiTM proxy attacks because the handshake is bound to the origin.

But this attack is a masterclass in exploiting the process, not the protocol. The attackers aren't breaking the cryptography of the passkey. They are convincing the user to authorise the attacker's own passkey as a credential on the user's account. The user believes they are being helpful and following security best practices. The protocol works perfectly; the human link is the point of failure.

The Com and Pink: A Dangerous Partnership

Pink, the brand behind this operation, is a new name in extortion, but they aren't working in isolation. They are part of 'The Com' (short for The Community), a decentralized threat network that thrives on this kind of technical yet social manipulation.

The Com has proven to be a dangerous breeding ground for these kinds of extortion crews. Their modus operandi isn't the slow, clandestine intrusion of traditional APT groups; it's rapid-fire disruption. They are masters of the phone, the impersonation, and the speed needed to move from an initial hook to full data exfiltration before the victim even realises they've been compromised. See also: Teams Screen Sharing Abused in Cross-Tenant Vishing Campaigns to Deliver EtherRAT for another example of how collaboration platforms are being weaponized in social engineering attacks.

From Access to Extortion

Why go through all this effort? Because once they have a registered passkey, they have unfettered access to the victim's Microsoft 365 environment. We aren't talking about slow, patient reconnaissance. These attackers move fast. Their primary focus is data exfiltration—grabbing everything they can from SharePoint and OneDrive.

The goal is extortion. Pink has been running a dedicated extortion site, surfacing samples of the stolen data to pressure organizations into paying up. They don't just threaten; they set deadlines, often giving companies a tight 72-hour window to respond before accelerating their leaking tactics. This pattern mirrors other data-extortion campaigns like How a Developer Token Compromise Sparked a Global Pharma Data-Extortion Crisis, where rapid credential access leads to large-scale data theft and ransom demands.

Stopping the Human-Centric Threat

If your strategy for stopping credential theft relies entirely on MFA, you're missing the point. The attacker is bypassing the MFA by making the user do the work for them. As explored in How Attackers Bypass MFA: Device Code Phishing and Authentication Workflow Exploits, there are numerous techniques that turn MFA from a shield into a liability when the user is manipulated.

You have to rethink how you verify personnel. Does your helpdesk have a verified identity channel? Do employees know that 'IT' will never ask them to register a passkey over the phone?

Technical controls are still vital, of course. Monitor your Entra logs for unauthorized passkey registrations. If you see activity from unusual locations or an unexpected spike in passkey enrollment that doesn't align with your known deployment waves, raise the alarm early.

The war for identity isn't just fought with code. It's fought by training your users to recognize—and challenge—the people reaching out to them. If the request feels urgent, sounds like a departure from standard procedure, and forces you to a domain that isn't cleanly your company's own, stop. Hang up. And call your real IT team on their known, internal-only support line.

Furthermore, security teams should look into enforcing conditional access policies that restrict who can register passkeys. If you don't absolutely need all users to have passkey capability enabled right now, consider limiting the rollout to a pilot group. This gives you more control and visibility.

Ultimately, the best defense is a skeptical workforce. When that phone rings, regardless of how authoritative the caller sounds, insist that they authenticate themselves via your known process, not the one they've conveniently provided for you. That simple doubt is the strongest firewall you have.

A New Vishing Playbook

More blogs