Microsoft Passkeys Under Siege: How Vishing Attackers Turn Security Upgrades Into Account Takeovers

Threat actors have found a clever way to flip a Microsoft security feature on its head. They now use fake Entra passkey enrollment pages to hijack Microsoft 365 accounts. The tactic relies on voice calls that sound official. Victims get told their account needs an urgent security upgrade.

Okta first spotted the activity. It tracks the group as O-UNC-066. The actor targets companies across food and beverage, technology, healthcare, automotive, construction, and aviation sectors. Calls come in pretending to be from IT support. The goal appears straightforward. Convince the employee to register a new passkey. But the passkey belongs to the attacker.

The Hacker News reported the details yesterday. Researchers described a panel-controlled phishing kit built in PHP. It walks victims through steps that mirror Microsoft’s real enrollment flow. Short pause. Then longer sequences of credential theft followed by real-time adaptation to MFA prompts. The operator sits behind the scenes. They log in with stolen details while the caller keeps the victim on the phone.

This marks a shift. Earlier campaigns abused device codes or adversary-in-the-middle proxies. Those stole tokens without full account control. Here the attacker ends up with a phishing-resistant passkey bound to the victim’s identity. Persistence becomes trivial. Data extortion follows.

But wait. The method exploits something many organizations push hard. Microsoft encourages passkey adoption. Administrators can set up registration campaigns that nudge users at sign-in. Attackers simply hijack that narrative. “The threat actor registers domains that incorporate the word passkey as part of a voice-enabled phishing (‘vishing’) scheme,” Okta researcher Houssem Eddine Bordjiba said in the company’s threat intelligence report.

The kit operates with precision. First page shows a loading icon and runs anti-analysis checks. Next comes username collection. Then password. Credentials fly to a backend panel. The operator enters them on the genuine Microsoft login page for that tenant. MFA challenges appear. The kit presents the matching prompt to the victim. OTP captured. Push approval guided. All while the caller maintains pressure.

Once inside, the passkey phase begins. Victim sees a page instructing them to create a passkey. Another displays a 12-word recovery key. The user must confirm the final word. It feels official. In truth the attacker registers their own passkey in the background. The recovery phrase serves as busywork. A distraction. “The phishing kit appears to prey on lack of user familiarity with passkey authentication,” Okta explained. “In a real passkey registration ceremony, the user might expect a system dialog to register a passkey on their device. The passkey pages in this phishing kit appear to mimic this process without registering a passkey.”

Security teams should take notice. Passkeys were supposed to reduce phishing success. They eliminate passwords and resist replay. Yet here they become the entry point. The lure feels helpful. Security upgrade. Account protection. Employees comply without much suspicion.

Related campaigns have surged this year. The FBI warned in May about Kali365. That phishing-as-a-service kit hijacks Microsoft 365 access tokens and bypasses MFA without stealing passwords. Its advisory highlighted Telegram distribution and low subscription costs. Attackers pay a few hundred dollars a month for the service.

Bleeping Computer covered device code vishing attacks back in February. Those hit technology, manufacturing, and financial firms. Actors abused OAuth 2.0 device authorization grants using legitimate Microsoft client IDs. The report noted connections to ShinyHunters. Similar social engineering. Different technical path.

Just two days ago Bleeping Computer detailed the Entra passkey vishing wave itself. Callers use domains containing “passkey.” Victims get redirected to kits that look identical to Microsoft’s process. Its article stressed the real-time operator control element.

Cybersecurity News added context yesterday. It linked the operation to Pink, a data leak site active since April. Palo Alto Networks Unit 42 tracks the cluster as CL-CRI-1147. The group ties to The Com, a loose collective that counts Scattered Spider and LAPSUS$ among its ranks. The publication described the initial call as coming from someone posing as IT support insisting a new passkey must be registered.

Microsoft itself has documented multi-stage phishing that leads to adversary-in-the-middle token theft. Its May security blog post outlined campaigns using calendar invites and real login pages. That analysis remains relevant because the new passkey tactic builds on the same social engineering foundation.

Barracuda Networks researchers broke down Tycoon 2FA and device code threats in late June. Their email threat radar noted real Microsoft login pages capturing session tokens. The post warned that even genuine-looking flows can hide malice.

So what now? Organizations cannot simply tell users to ignore all calls. Verification processes must improve. Require callback to a known IT number. Check recent Entra sign-in logs for unusual passkey registrations. Look for domains that mimic but do not match official Microsoft patterns.

Conditional access policies help yet fall short alone. Binding tokens to devices offers one layer. Requiring phishing-resistant methods for sensitive actions adds another. Training must cover passkeys specifically. Explain what a legitimate enrollment looks like. Stress that IT rarely calls demanding immediate action.

The attacker adapts on the fly. That remains the kit’s strength. Different MFA methods? The panel switches pages accordingly. Number matching push notification appears? The operator guides the victim through approval. Real time. Personal. Convincing.

Pink’s emergence in April lines up with increased activity. The group leaks stolen data and uses it to pressure victims further. Extortion follows compromise. Ransomware may not even be necessary when account access yields customer records, intellectual property, or financial details.

Industry watchers expect more variants. Forg365, a newer phishing-as-a-service platform reported yesterday by Bleeping Computer, combines adversary-in-the-middle tactics with AI-generated lures. Its coverage suggests the market for these toolkits keeps expanding. Features overlap with Kali365 and others. Barriers to entry drop.

Microsoft continues refining defenses. Recent updates tighten self-service password reset requirements. Jailbreak detection in Authenticator prevents compromised devices from using Entra credentials. These changes address pieces of the puzzle. The human element stays hardest to solve.

Security leaders must assume vishing will target their teams. Passkey campaigns represent the latest evolution. Attackers study new features faster than many defenders can roll them out. They turn adoption drives into attack vectors.

Monitor Entra audit logs for passkey registration events from unexpected IPs. Correlate with voice call reports from employees. Establish clear escalation paths for suspicious IT contacts. And above all, slow down the interaction. Legitimate security upgrades rarely require immediate phone-guided enrollment.

The campaign exposes a broader truth. Every new authentication method brings new social engineering opportunities. Passkeys reduce password fatigue. They raise the bar for credential theft. Yet when paired with convincing vishing and a live operator, that bar can still be cleared. Organizations that treat the rollout as purely technical will miss the human exploitation layer.

Defenders have tools. They need processes and awareness to match. The actor behind O-UNC-066 and Pink shows no sign of slowing. New sectors could appear in targeting lists next week. The phishing kit will likely evolve with updated pages and additional lures. Preparation now beats reaction later.


Discover more from Web and IT News

Subscribe to get the latest posts sent to your email.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top

Discover more from Web and IT News

Subscribe now to keep reading and get access to the full archive.

Continue reading