Microsoft 365 Users Targeted in Entra Passkey Voice Phishing Attack


entra pshishing attack
Image credit: Microsoft

A threat actor is using voice phishing to target Microsoft 365 users and trick them into enrolling a new Microsoft Entra passkey controlled by the attacker.

The campaign abuses Microsoft’s passkey registration campaign feature, which became available to admins in May. Attackers call employees and claim they need to register a new passkey for security reasons. The activity has reportedly been active since April.

Attackers imitate Microsoft Entra passkey enrollment

Victims are directed to phishing pages that imitate Microsoft’s legitimate Entra passkey enrollment process.

The fake sites often include the victim organization’s branding, making the process look more convincing. Instead of registering their own passkey, victims unknowingly help the attacker add a passkey that the threat actor controls.

Phishing kit uses live attacker guidance

According to Okta, the phishing kit does not work like a standard adversary-in-the-middle proxy.

Instead, it uses an operator-controlled PHP panel that lets the attacker guide the victim through the login process in near real time.

This allows the attacker to adjust the phishing flow depending on the victim’s MFA method, including TOTP codes, push notifications, SMS codes, or number matching.

Credentials and MFA responses entered by the victim are relayed to the attacker, who can then use them to access the victim’s Microsoft account.

Okta tracks the threat actor as O-UNC-066.

The group is linked to an extortion operation known as Pink, which is reportedly connected to The Com, a decentralized cybercriminal network.

Pink is known for voice phishing, IT impersonation, credential theft, MFA code theft, and data extortion.

The campaign has targeted organizations in food and beverage, technology, healthcare, automotive, construction, and aviation.

Attackers steal SharePoint and OneDrive data

After gaining access, Pink reportedly moves quickly to steal data from SharePoint and OneDrive.

The group launched an extortion site on May 31 to publish stolen data samples and pressure victims into paying.

Organizations should verify helpdesk identity more carefully when employees receive unexpected calls about account security changes.

Companies should also train users to treat unsolicited calls about new authentication methods as suspicious, especially when the caller asks them to register a passkey or approve an MFA prompt.

This is not the only recent phishing campaign targeting enterprise users. Kaspersky has warned about an attack abusing OAuth flows, while the ARToken phishing platform was recently exposed.

IT support scams have also been used to distribute EtherRAT malware, showing that social engineering remains a major entry point for attackers.

Via BleepingComputer

More about the topics: Microsoft 365, microsoft entra, Phishing

Readers help support Windows Report. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help Windows Report sustain the editorial team. Read more

User forum

0 messages