AI Security AI安全 12h ago Updated 11h ago 更新于 11小时前 46

Hackers Use Fake Microsoft Entra Passkey Enrollment to Gain Microsoft 365 Access 黑客利用伪造的Microsoft Entra通行密钥注册获取Microsoft 365访问权限

Threat actor O-UNC-066 employs voice phishing (vishing) combined with a custom PHP-based phishing kit to trick Microsoft 365 users into enrolling attacker-controlled passkeys. The attack bypasses traditional credential theft by using an operator-controlled panel to guide victims through real-time MFA challenges and fake passkey registration flows. The phishing kit mimics legitimate Microsoft interfaces, using distraction techniques like fake recovery keys to hide the unauthorized enrollment of a 攻击者利用“语音钓鱼”(Vishing)诱导微软365用户注册伪造的Entra Passkey,从而获取账户控制权。 该攻击由Okta追踪为O-UNC-066,使用面板控制的钓鱼套件,可实时适配受害者的多因素认证(MFA)要求。 攻击流程包括窃取凭据、绕过MFA验证,最后以“注册Passkey”为幌子进行数据勒索,利用用户对新技术的不熟悉进行心理操纵。 此威胁与微软推动Passkey大规模采用的背景重合,攻击者滥用安全升级流程作为诱饵,针对食品、医疗、科技等多个行业。

65
Hot 热度
70
Quality 质量
60
Impact 影响力

Analysis 深度分析

TL;DR

  • Threat actor O-UNC-066 employs voice phishing (vishing) combined with a custom PHP-based phishing kit to trick Microsoft 365 users into enrolling attacker-controlled passkeys.
  • The attack bypasses traditional credential theft by using an operator-controlled panel to guide victims through real-time MFA challenges and fake passkey registration flows.
  • The phishing kit mimics legitimate Microsoft interfaces, using distraction techniques like fake recovery keys to hide the unauthorized enrollment of attacker passkeys.
  • This technique exploits the growing adoption of phishing-resistant passkeys, turning a security enhancement into a vector for account takeover and data extortion.
  • The threat group is linked to the decentralized cybercrime collective "The Com," indicating coordinated efforts across multiple high-profile hacking clusters.

Why It Matters

This incident highlights a critical shift in phishing tactics where attackers exploit user trust in modern security protocols like passkeys rather than just stealing passwords. For AI and security practitioners, it demonstrates how social engineering can be integrated with automated, operator-in-the-loop tools to bypass multi-factor authentication effectively. Understanding this hybrid approach is essential for developing better detection mechanisms and user awareness programs that address both technical vulnerabilities and psychological manipulation.

Technical Details

  • Attack Vector: A combination of vishing (voice phishing) and a sophisticated phishing kit hosted on domains containing "passkey."
  • Phishing Kit Architecture: An operator-controlled PHP panel that handles anti-analysis checks, credential harvesting, and real-time adaptation to user MFA methods (SMS OTP, TOTP, Push).
  • Real-Time Manipulation: Unlike static AitM proxies, this kit allows a human operator to intervene, entering stolen credentials on the legitimate Microsoft login page and guiding the victim through subsequent MFA steps via customized web pages.
  • Passkey Enrollment Spoofing: After gaining initial access, the kit redirects users to fake passkey registration pages (/passkey/register, /passkey/check) that mimic system dialogs but actually enroll the attacker's passkey.
  • Distraction Mechanism: Victims are prompted to save a fake 12-word recovery key, similar to crypto wallet mnemonics, to occupy them while the attacker completes the passkey registration in the background.

Industry Insight

  • Security Awareness Training: Organizations must update training to include scenarios involving voice-based social engineering and the specific risks of passkey enrollment, emphasizing that legitimate services never ask users to enroll passkeys via unsolicited phone calls.
  • Detection Strategies: Identity security solutions should monitor for anomalous passkey registrations, especially those initiated immediately after failed login attempts or unusual geographic locations, and flag real-time interactions with identity providers that deviate from standard automated flows.
  • Policy Adjustments: Administrators should consider restricting passkey enrollment permissions or requiring additional verification steps for new device registrations to mitigate the risk of unauthorized passkey additions by compromised accounts.

TL;DR

  • 攻击者利用“语音钓鱼”(Vishing)诱导微软365用户注册伪造的Entra Passkey,从而获取账户控制权。
  • 该攻击由Okta追踪为O-UNC-066,使用面板控制的钓鱼套件,可实时适配受害者的多因素认证(MFA)要求。
  • 攻击流程包括窃取凭据、绕过MFA验证,最后以“注册Passkey”为幌子进行数据勒索,利用用户对新技术的不熟悉进行心理操纵。
  • 此威胁与微软推动Passkey大规模采用的背景重合,攻击者滥用安全升级流程作为诱饵,针对食品、医疗、科技等多个行业。

为什么值得看

这篇文章揭示了针对身份验证系统的高级社会工程学攻击手法,特别是如何利用新兴的Passkey技术作为新的攻击面。对于安全从业者而言,它提供了关于实时交互式钓鱼套件如何绕过传统防御机制的重要情报,强调了在推广无密码认证时用户教育和监控的重要性。

技术解析

  • 攻击载体与工具:攻击者部署了一个由操作员控制的PHP面板钓鱼套件,不同于传统的中间人(AitM)静态页面,该套件能根据受害者的MFA类型(TOTP、推送通知、短信OTP)实时调整用户体验和页面内容。
  • 攻击链流程:首先通过语音通话诱导受害者访问钓鱼网站;随后窃取用户名和密码;操作员在后台使用这些凭据登录合法微软门户并触发MFA;受害者被引导输入MFA代码,操作员随即获得账户访问权。
  • Passkey伪装机制:在获取账户权限后,攻击者将受害者重定向至伪造的Passkey注册页面(/passkey/register等),利用类似加密货币助记词的12位恢复密钥步骤作为干扰手段,实则是在受害者不知情的情况下注册攻击者的Passkey,从而实现持久化访问和数据勒索。
  • 目标行业与关联组织:主要目标包括食品饮料、科技、医疗、汽车、建筑和航空业。该活动与名为“The Com”的去中心化网络犯罪集体有关,其成员包括Scattered Spider、ShinyHunters等知名黑客组织。

行业启示

  • 加强用户安全意识培训:随着Passkey等无密码技术的普及,用户对其工作原理缺乏了解易成为攻击突破口。企业需教育员工识别非标准的身份验证请求,特别是涉及电话指导操作的情况。
  • 优化身份验证监控策略:安全团队应监测异常的Passkey注册事件和多因素认证交互模式。由于攻击者能实时操控MFA流程,传统的日志分析可能需要结合行为分析来检测此类高级钓鱼活动。
  • 警惕社会工程学的演变:攻击者正从单纯的凭据窃取转向更复杂的交互式欺骗,利用技术升级(如Passkey推广)作为信任背书。防御策略需从单纯的技术防护扩展到对人为因素和社会工程学攻击的深度防御。

Disclaimer: The above content is generated by AI and is for reference only. 免责声明:以上内容由 AI 生成,仅供参考。

Security 安全