O-UNC-066, also known as Pink, is a threat actor tracked by Okta and Palo Alto Networks Unit 42. Okta attributes to this actor an extortion operation known as Pink. Unit 42 described Pink as a new extortion brand affiliated with the decentralized threat network known as The Com. Since April 2026, the actor has conducted vishing-led phishing campaigns targeting Microsoft 365 users, specifically the Microsoft Entra/Microsoft 365 passkey enrollment process. Observed targets include enterprise organizations in the food and beverage, technology, healthcare, automotive, construction, and aviation sectors. The actor registers phishing domains containing the word "passkey," calls targeted users while impersonating security or IT staff, and persuades them to enroll a new passkey. Victims are directed to phishing pages that closely mimic legitimate Microsoft Entra passkey enrollment flows and may include the victim organization’s branding. Okta described the phishing kit as an operator-controlled PHP panel with near-real-time interaction, including a 1-second heartbeat polling mechanism. The kit relays credentials and MFA responses to the operator and adapts to the victim’s MFA method, including TOTP, push notification with number matching, and SMS OTP. While the victim believes they are enrolling their own passkey, the attacker attempts to authenticate to the victim’s Microsoft account and register a passkey under the attacker’s control. The phishing flow also presents fake Microsoft-branded passkey registration pages and prompts victims to save a fake BIP-39 recovery phrase and confirm one word from it; Okta noted that BIP-39 seed phrases have no legitimate role in Microsoft Entra passkey enrollment. The campaign appears to use Microsoft’s legitimate passkey enrollment nudges or administrator-enabled registration campaigns introduced or enabled in some circumstances in May 2026 as a pretext. Okta assessed the actor’s primary motivation as data extortion. After gaining access, Pink has been reported to move quickly to exfiltrate data from SharePoint and OneDrive, and its extortion site, launched on May 31, is used to publish samples of stolen data to pressure victims into paying a ransom. Okta also stated that the phishing kit does not handle federation to third-party identity providers such as Okta, and it had not directly observed compromise of Microsoft accounts in connection with this activity.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Sectors the actor has been observed targeting.
8 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Conducting voice-phishing and IT-impersonation campaigns that trick Microsoft 365 users into enrolling attacker-controlled Entra passkeys, then using the access for data theft and extortion.
Conducting vishing-enabled phishing and passkey-enrollment abuse against Microsoft 365 users at enterprise organizations, with the apparent goal of data extortion.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.