Okta has issued a warning about a vishing campaign targeting Microsoft 365 users across various sectors. Initiated in April, the scheme aims to steal user credentials through deceptive voice calls.
Vishing Campaign Targets Multiple Industries
The attackers, identified as group O-UNC-066 or CL-CRI-1147, have primarily focused on sectors such as automotive, aviation, construction, food and beverage, healthcare, and technology. The group, also known as Pink, seeks to extort data by tricking users into accessing fraudulent Microsoft Entra ID login pages.
Deceptive Tactics and Domain Manipulation
The threat actors have registered domains featuring the term ‘passkey’ to mislead users into believing they are engaging in legitimate Microsoft passkey processes. These sites are crafted to mirror official Microsoft enrollment pages, exploiting users’ trust.
Okta reports that the phishing kit employed in these attacks is distinct, with an operator-controlled PHP panel that requires active engagement to gather user credentials and multi-factor authentication tokens.
Complex Phishing Mechanism
Unlike typical phishing kits, this campaign involves real-time interaction, guiding victims through several authentication steps. The kit adapts based on the victim’s multi-factor authentication settings, impersonating legitimate process flows.
Okta highlights the attackers’ strategy of integrating BIP-39 phrases into the process, which seems irrelevant to Microsoft Entra operations. This step may serve as a diversion while the attackers register their own passkeys in victims’ accounts.
Upon registering a passkey, the compromised account receives a genuine notification from Microsoft, potentially masking the attacker’s actions under benign-seeming passkey names.
Implications and Recommendations
Okta’s alert underscores the sophistication of modern phishing attacks and the necessity for heightened vigilance and security measures. Users are advised to remain cautious of unsolicited communications and verify any passkey registration notifications with Microsoft.
As cyber threats continue to evolve, organizations and individuals alike must prioritize cybersecurity awareness and proactive measures to safeguard their digital assets.
