Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Hackers Exploit Fake Microsoft Passkey Enrollment for Attacks

Hackers Exploit Fake Microsoft Passkey Enrollment for Attacks

Posted on July 10, 2026 By CWS

Hackers have found a new way to penetrate Microsoft 365 accounts by impersonating passkey enrollment processes. These cybercriminals, identified by Okta as O-UNC-066, are targeting a wide array of industries, including food and beverage, technology, healthcare, and aviation, through elaborate phishing schemes.

Using fake voice-based requests, these threat actors trick users into adding a new Entra passkey. This deceptive act is part of a larger strategy designed to extract data for extortion purposes. The criminals direct users to a phishing site that mimics the authentic Microsoft passkey registration process, thereby gaining unauthorized access to user accounts.

Understanding the Attack Methodology

The phishing operation involves a meticulously crafted kit that guides victims through a fake enrollment process. Unlike more common adversary-in-the-middle techniques, this method employs a PHP panel that operates in real-time, adapting to each user’s multi-factor authentication (MFA) requirements, such as TOTP or SMS OTP.

According to Okta researcher Houssem Eddine Bordjiba, the attackers register domains featuring the term ‘passkey’ to lend credibility to their scheme. Victims are then contacted by phone and urged to add a new passkey, unknowingly granting access to their Microsoft accounts.

Industries Under Threat

The threat actors have set their sights on various sectors, exploiting the increased adoption of passkeys for improved security. Microsoft’s initiative to encourage passkey registration is being manipulated by these criminals, who use the process as a pretext to insert their own passkeys into users’ accounts.

The phishing kit does not redirect users to third-party identity providers, such as Okta, but instead maintains control over the entire fraudulent process. This allows hackers to capture and use login credentials without alerting the victim to any external anomalies.

The Attack Sequence

The attack begins with an initial fake loading screen, followed by requests for usernames and passwords. Collected credentials are then forwarded to the hackers via a backend system. The user believes they are navigating a legitimate security process, while in reality, the hacker is orchestrating a takeover of their account.

The subsequent steps involve directing the user through a series of misleading pages that mimic Microsoft’s passkey registration. These pages include prompts to create and verify a passkey and save recovery keys, which are merely distractions to complete the malicious enrollment process.

Okta has observed that this phishing kit capitalizes on users’ unfamiliarity with passkey systems, creating a false sense of security. The group linked to these attacks has been associated with a data leak site named Pink since April 2026, and is tracked by Palo Alto Networks Unit 42 as part of a larger cybercrime collective.

As the threat landscape evolves, organizations must remain vigilant against such advanced phishing techniques, ensuring robust security protocols are in place to protect sensitive data.

The Hacker News Tags:Authentication, cyber attacks, Cybersecurity, data breach, data extortion, enterprise security, identity theft, Microsoft 365, O-UNC-066, Okta, passkey scam, Phishing, Threat Actors, Vishing, voice phishing

Post navigation

Previous Post: Top Unified Threat Management Solutions in 2026
Next Post: FastNetMon Unveils Netomics for Enhanced Routing Control

Related Posts

Fake VS Code Extensions Spread GlassWorm v2 Malware Fake VS Code Extensions Spread GlassWorm v2 Malware The Hacker News
Seven npm Packages Use Adspect Cloaking to Trick Victims Into Crypto Scam Pages Seven npm Packages Use Adspect Cloaking to Trick Victims Into Crypto Scam Pages The Hacker News
Critical Lanscope Endpoint Manager Bug Exploited in Ongoing Cyberattacks, CISA Confirms Critical Lanscope Endpoint Manager Bug Exploited in Ongoing Cyberattacks, CISA Confirms The Hacker News
Microsoft Alerts on Active Exploitation of Defender Vulnerabilities Microsoft Alerts on Active Exploitation of Defender Vulnerabilities The Hacker News
Update Your cPanel Server to Fix Critical Vulnerability Update Your cPanel Server to Fix Critical Vulnerability The Hacker News
Zero-Click AI Vulnerability Exposes Microsoft 365 Copilot Data Without User Interaction Zero-Click AI Vulnerability Exposes Microsoft 365 Copilot Data Without User Interaction The Hacker News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • FastNetMon Unveils Netomics for Enhanced Routing Control
  • Hackers Exploit Fake Microsoft Passkey Enrollment for Attacks
  • Top Unified Threat Management Solutions in 2026
  • Study Reveals Security Flaws in Free Android VPN Apps
  • WhatsApp Exploit Turns OpenClaw into Hacker Tool

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • FastNetMon Unveils Netomics for Enhanced Routing Control
  • Hackers Exploit Fake Microsoft Passkey Enrollment for Attacks
  • Top Unified Threat Management Solutions in 2026
  • Study Reveals Security Flaws in Free Android VPN Apps
  • WhatsApp Exploit Turns OpenClaw into Hacker Tool

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark