Okta Warns of Vishing Attacks Targeting Microsoft 365 Customers
Okta warns of a sophisticated vishing campaign (tracked as O-UNC-066/Pink) targeting Microsoft 365 credentials via voice calls directing users to fake Entra ID login pages. The attack utilizes an operator-controlled PHP panel that manually guides victims through real-time authentication stages, bypassing automated credential harvesting methods. Threat actors enroll their own passkeys into compromised accounts while distracting users with irrelevant BIP-39 seed phrase verification steps. The camp
Analysis
TL;DR
- Okta warns of a sophisticated vishing campaign (tracked as O-UNC-066/Pink) targeting Microsoft 365 credentials via voice calls directing users to fake Entra ID login pages.
- The attack utilizes an operator-controlled PHP panel that manually guides victims through real-time authentication stages, bypassing automated credential harvesting methods.
- Threat actors enroll their own passkeys into compromised accounts while distracting users with irrelevant BIP-39 seed phrase verification steps.
- The campaign targets high-value sectors including automotive, aviation, healthcare, and technology primarily for data extortion purposes.
Why It Matters
This incident highlights a significant shift in phishing tactics from fully automated credential theft to manual, interactive attacks that leverage social engineering to bypass Multi-Factor Authentication (MFA). For security practitioners, it underscores the critical vulnerability of relying solely on technical controls when human interaction is manipulated in real-time, necessitating enhanced user awareness regarding unsolicited voice calls and unusual authentication requests.
Technical Details
- Vishing Integration: The attack begins with voice calls instructing victims to register a new passkey, leading them to phishing sites that mimic Microsoft Entra ID interfaces using legitimate branding and CDN resources.
- Operator-Controlled Panel: Unlike standard phishing kits, this infrastructure uses a PHP panel where operators manually monitor sessions, adapt content based on the victim's MFA type (SMS, TOTP, or Push), and authenticate in real-time.
- Passkey Enrollment Exploit: After gaining initial access, the attacker enrolls a malicious passkey in the victim's account, naming it benignly to avoid detection in Microsoft notification emails.
- Distraction Technique: Users are prompted to verify BIP-39 seed phrases, which are irrelevant to Microsoft Entra, serving as a cognitive distraction while the attacker finalizes account takeover.
- Anti-Analysis Measures: The phishing pages include checks to prevent automated analysis and request credentials without redirecting to federated identity providers to maintain control over the authentication flow.
Industry Insight
- Enhance Vishing Defenses: Organizations must implement specific training and protocols to identify and report unsolicited voice calls requesting sensitive information or authentication actions, as traditional email-focused security measures do not cover this vector.
- Monitor Passkey Registrations: Security teams should configure alerts for new passkey registrations in Microsoft 365 environments, as these can serve as a persistent backdoor even after passwords are changed.
- Adopt Zero Trust for Identity: Relying on MFA alone is insufficient against interactive attacks; implementing behavioral analytics and strict device compliance checks can help detect anomalous authentication patterns indicative of such campaigns.
Disclaimer: The above content is generated by AI and is for reference only.