Hackers Use Fake Microsoft Entra Passkey Enrollment to Gain Microsoft 365 Access
Threat actor O-UNC-066 employs voice phishing (vishing) combined with a custom PHP-based phishing kit to trick Microsoft 365 users into enrolling attacker-controlled passkeys. The attack bypasses traditional credential theft by using an operator-controlled panel to guide victims through real-time MFA challenges and fake passkey registration flows. The phishing kit mimics legitimate Microsoft interfaces, using distraction techniques like fake recovery keys to hide the unauthorized enrollment of a
Analysis
TL;DR
- Threat actor O-UNC-066 employs voice phishing (vishing) combined with a custom PHP-based phishing kit to trick Microsoft 365 users into enrolling attacker-controlled passkeys.
- The attack bypasses traditional credential theft by using an operator-controlled panel to guide victims through real-time MFA challenges and fake passkey registration flows.
- The phishing kit mimics legitimate Microsoft interfaces, using distraction techniques like fake recovery keys to hide the unauthorized enrollment of attacker passkeys.
- This technique exploits the growing adoption of phishing-resistant passkeys, turning a security enhancement into a vector for account takeover and data extortion.
- The threat group is linked to the decentralized cybercrime collective "The Com," indicating coordinated efforts across multiple high-profile hacking clusters.
Why It Matters
This incident highlights a critical shift in phishing tactics where attackers exploit user trust in modern security protocols like passkeys rather than just stealing passwords. For AI and security practitioners, it demonstrates how social engineering can be integrated with automated, operator-in-the-loop tools to bypass multi-factor authentication effectively. Understanding this hybrid approach is essential for developing better detection mechanisms and user awareness programs that address both technical vulnerabilities and psychological manipulation.
Technical Details
- Attack Vector: A combination of vishing (voice phishing) and a sophisticated phishing kit hosted on domains containing "passkey."
- Phishing Kit Architecture: An operator-controlled PHP panel that handles anti-analysis checks, credential harvesting, and real-time adaptation to user MFA methods (SMS OTP, TOTP, Push).
- Real-Time Manipulation: Unlike static AitM proxies, this kit allows a human operator to intervene, entering stolen credentials on the legitimate Microsoft login page and guiding the victim through subsequent MFA steps via customized web pages.
- Passkey Enrollment Spoofing: After gaining initial access, the kit redirects users to fake passkey registration pages (
/passkey/register,/passkey/check) that mimic system dialogs but actually enroll the attacker's passkey. - Distraction Mechanism: Victims are prompted to save a fake 12-word recovery key, similar to crypto wallet mnemonics, to occupy them while the attacker completes the passkey registration in the background.
Industry Insight
- Security Awareness Training: Organizations must update training to include scenarios involving voice-based social engineering and the specific risks of passkey enrollment, emphasizing that legitimate services never ask users to enroll passkeys via unsolicited phone calls.
- Detection Strategies: Identity security solutions should monitor for anomalous passkey registrations, especially those initiated immediately after failed login attempts or unusual geographic locations, and flag real-time interactions with identity providers that deviate from standard automated flows.
- Policy Adjustments: Administrators should consider restricting passkey enrollment permissions or requiring additional verification steps for new device registrations to mitigate the risk of unauthorized passkey additions by compromised accounts.
Disclaimer: The above content is generated by AI and is for reference only.