Hackers have found a new way to penetrate Microsoft 365 accounts by impersonating passkey enrollment processes. These cybercriminals, identified by Okta as O-UNC-066, are targeting a wide array of industries, including food and beverage, technology, healthcare, and aviation, through elaborate phishing schemes.
Using fake voice-based requests, these threat actors trick users into adding a new Entra passkey. This deceptive act is part of a larger strategy designed to extract data for extortion purposes. The criminals direct users to a phishing site that mimics the authentic Microsoft passkey registration process, thereby gaining unauthorized access to user accounts.
Understanding the Attack Methodology
The phishing operation involves a meticulously crafted kit that guides victims through a fake enrollment process. Unlike more common adversary-in-the-middle techniques, this method employs a PHP panel that operates in real-time, adapting to each user’s multi-factor authentication (MFA) requirements, such as TOTP or SMS OTP.
According to Okta researcher Houssem Eddine Bordjiba, the attackers register domains featuring the term ‘passkey’ to lend credibility to their scheme. Victims are then contacted by phone and urged to add a new passkey, unknowingly granting access to their Microsoft accounts.
Industries Under Threat
The threat actors have set their sights on various sectors, exploiting the increased adoption of passkeys for improved security. Microsoft’s initiative to encourage passkey registration is being manipulated by these criminals, who use the process as a pretext to insert their own passkeys into users’ accounts.
The phishing kit does not redirect users to third-party identity providers, such as Okta, but instead maintains control over the entire fraudulent process. This allows hackers to capture and use login credentials without alerting the victim to any external anomalies.
The Attack Sequence
The attack begins with an initial fake loading screen, followed by requests for usernames and passwords. Collected credentials are then forwarded to the hackers via a backend system. The user believes they are navigating a legitimate security process, while in reality, the hacker is orchestrating a takeover of their account.
The subsequent steps involve directing the user through a series of misleading pages that mimic Microsoft’s passkey registration. These pages include prompts to create and verify a passkey and save recovery keys, which are merely distractions to complete the malicious enrollment process.
Okta has observed that this phishing kit capitalizes on users’ unfamiliarity with passkey systems, creating a false sense of security. The group linked to these attacks has been associated with a data leak site named Pink since April 2026, and is tracked by Palo Alto Networks Unit 42 as part of a larger cybercrime collective.
As the threat landscape evolves, organizations must remain vigilant against such advanced phishing techniques, ensuring robust security protocols are in place to protect sensitive data.
