AI Security AI安全 11h ago Updated 10h ago 更新于 10小时前 46

Okta Warns of Vishing Attacks Targeting Microsoft 365 Customers Okta警告针对微软365客户的Vishing攻击

Okta warns of a sophisticated vishing campaign (tracked as O-UNC-066/Pink) targeting Microsoft 365 credentials via voice calls directing users to fake Entra ID login pages. The attack utilizes an operator-controlled PHP panel that manually guides victims through real-time authentication stages, bypassing automated credential harvesting methods. Threat actors enroll their own passkeys into compromised accounts while distracting users with irrelevant BIP-39 seed phrase verification steps. The camp Okta警告黑客组织O-UNC-066(又名Pink)发起针对多行业的Vishing(语音钓鱼)活动,旨在窃取Microsoft 365凭据。 攻击者通过语音通话诱导受害者访问伪造的Microsoft Entra ID登录页面,伪装成注册新Passkey的过程。 该钓鱼套件采用操作员控制的PHP面板,实时适应受害者的MFA类型,而非自动收集凭据。 攻击核心在于利用用户对Passkey机制的不熟悉,诱骗其批准攻击者注册的恶意Passkey,从而实现账户接管。 攻击者通过合法邮件通知掩盖痕迹,将恶意Passkey命名为看似无害的名称以逃避用户察觉。

65
Hot 热度
70
Quality 质量
60
Impact 影响力

Analysis 深度分析

TL;DR

  • Okta warns of a sophisticated vishing campaign (tracked as O-UNC-066/Pink) targeting Microsoft 365 credentials via voice calls directing users to fake Entra ID login pages.
  • The attack utilizes an operator-controlled PHP panel that manually guides victims through real-time authentication stages, bypassing automated credential harvesting methods.
  • Threat actors enroll their own passkeys into compromised accounts while distracting users with irrelevant BIP-39 seed phrase verification steps.
  • The campaign targets high-value sectors including automotive, aviation, healthcare, and technology primarily for data extortion purposes.

Why It Matters

This incident highlights a significant shift in phishing tactics from fully automated credential theft to manual, interactive attacks that leverage social engineering to bypass Multi-Factor Authentication (MFA). For security practitioners, it underscores the critical vulnerability of relying solely on technical controls when human interaction is manipulated in real-time, necessitating enhanced user awareness regarding unsolicited voice calls and unusual authentication requests.

Technical Details

  • Vishing Integration: The attack begins with voice calls instructing victims to register a new passkey, leading them to phishing sites that mimic Microsoft Entra ID interfaces using legitimate branding and CDN resources.
  • Operator-Controlled Panel: Unlike standard phishing kits, this infrastructure uses a PHP panel where operators manually monitor sessions, adapt content based on the victim's MFA type (SMS, TOTP, or Push), and authenticate in real-time.
  • Passkey Enrollment Exploit: After gaining initial access, the attacker enrolls a malicious passkey in the victim's account, naming it benignly to avoid detection in Microsoft notification emails.
  • Distraction Technique: Users are prompted to verify BIP-39 seed phrases, which are irrelevant to Microsoft Entra, serving as a cognitive distraction while the attacker finalizes account takeover.
  • Anti-Analysis Measures: The phishing pages include checks to prevent automated analysis and request credentials without redirecting to federated identity providers to maintain control over the authentication flow.

Industry Insight

  • Enhance Vishing Defenses: Organizations must implement specific training and protocols to identify and report unsolicited voice calls requesting sensitive information or authentication actions, as traditional email-focused security measures do not cover this vector.
  • Monitor Passkey Registrations: Security teams should configure alerts for new passkey registrations in Microsoft 365 environments, as these can serve as a persistent backdoor even after passwords are changed.
  • Adopt Zero Trust for Identity: Relying on MFA alone is insufficient against interactive attacks; implementing behavioral analytics and strict device compliance checks can help detect anomalous authentication patterns indicative of such campaigns.

TL;DR

  • Okta警告黑客组织O-UNC-066(又名Pink)发起针对多行业的Vishing(语音钓鱼)活动,旨在窃取Microsoft 365凭据。
  • 攻击者通过语音通话诱导受害者访问伪造的Microsoft Entra ID登录页面,伪装成注册新Passkey的过程。
  • 该钓鱼套件采用操作员控制的PHP面板,实时适应受害者的MFA类型,而非自动收集凭据。
  • 攻击核心在于利用用户对Passkey机制的不熟悉,诱骗其批准攻击者注册的恶意Passkey,从而实现账户接管。
  • 攻击者通过合法邮件通知掩盖痕迹,将恶意Passkey命名为看似无害的名称以逃避用户察觉。

为什么值得看

这篇文章揭示了身份认证攻击从传统的静态钓鱼向动态、交互式社会工程学的演变,特别是利用新兴技术(如Passkey)的认知盲区进行攻击。对于安全从业者而言,理解这种实时操纵MFA流程的技术手段有助于更新防御策略,加强对用户关于新型认证方式的教育,并优化对异常Passkey注册行为的监控机制。

技术解析

  • 攻击载体与诱饵:自四月起,攻击者使用语音电话(Vishing)作为初始接触点,引导受害者前往包含“passkey”关键词的伪造域名,页面高度模仿Microsoft Entra ID的Passkey注册流程,并利用微软CDN加载内容以增强可信度。
  • 动态钓鱼套件架构:不同于传统自动抓取凭据的工具,该PHP面板由操作员实时控制。在受害者输入用户名后,面板不立即重定向,而是执行反分析检查;随后操作员在后台尝试登录以探测启用的MFA类型(SMS OTP、TOTP或推送通知),并动态调整前端显示内容以匹配真实的验证流程。
  • Passkey劫持机制:攻击的关键步骤是诱导用户在伪造页面上“保存”攻击者控制的BIP-39助记词片段(实为分散注意力的干扰项)。与此同时,攻击者在后台直接向Microsoft注册自己的Passkey。由于微软会发送合法的注册通知邮件,攻击者可命名此Passkey为看似正常的名称,从而绕过用户的常规检查。
  • 目标行业:主要瞄准汽车、航空、建筑、食品饮料、医疗保健和技术领域的组织,主要动机为数据勒索。

行业启示

  • 强化Passkey安全意识教育:随着Passkey等无密码认证技术的普及,用户对其注册流程和安全性缺乏足够认知。企业需加强培训,明确告知用户真正的Passkey注册通常涉及设备本地系统对话框,而非网页表单输入,警惕任何要求手动输入或复制助记词的行为。
  • 实施异常行为检测:安全团队应监控Microsoft 365环境中的Passkey注册事件,特别是那些来自未知设备或IP地址的注册,以及被命名为看似无害但非用户预期的Passkey。结合邮件通知内容的异常分析,可更早发现此类账户接管尝试。
  • 多因素认证的策略优化:鉴于攻击者能实时适应MFA类型,单纯依赖MFA已不足以完全防御此类高级钓鱼攻击。建议引入基于风险的身份验证(Risk-based Authentication)和持续身份验证机制,对敏感操作进行额外验证,减少对单一MFA提示的依赖。

Disclaimer: The above content is generated by AI and is for reference only. 免责声明:以上内容由 AI 生成,仅供参考。

Security 安全