Close Menu

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    What's Hot

    Meta Patents AI Device That Tracks Your Emotions, Watches You Take Your Meds

    July 8, 2026

    Entra passkey enrollment vishing targets Microsoft 365 users

    July 8, 2026

    3 Ways AI Powers Service Desk Attacks and How to Prevent Them

    July 8, 2026
    Facebook X (Twitter) Instagram
    • Demos
    • Technology
    • Gaming
    • Buy Now
    Facebook X (Twitter) Instagram Pinterest Vimeo
    Canadian Cyber WatchCanadian Cyber Watch
    • Home
    • News
    • Alerts
    • Tips
    • Tools
    • Industry
    • Incidents
    • Events
    • Education
    Subscribe
    Canadian Cyber WatchCanadian Cyber Watch
    Home»News»Entra passkey enrollment vishing targets Microsoft 365 users
    News

    Entra passkey enrollment vishing targets Microsoft 365 users

    adminBy adminJuly 8, 2026No Comments4 Mins Read
    Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
    Share
    Facebook Twitter LinkedIn Pinterest Email


    Entra passkey enrollment vishing targets Microsoft 365 users

    A threat actor has been targeting organizations across multiple sectors with voice-based fake security requests that ask Microsoft 365 users to enroll a new Entra passkey.

    The attacker is taking advantage of a new capability Microsoft opened to administrators in May, allowing them to run “passkey registration campaigns” to entice users to enrol passkeys for more secure authentication.

    The campaign has been running since April and involves calling targeted users and trying to convince them to register a new passkey under the attacker’s control.

    image

    To mask the deception, the hacker directs victims to a phishing kit that imitates the legitimate Microsoft passkey enrollment process.

    Cloud-based identity and access management (IAM) company Okta attributes the activity to an actor it tracks as O-UNC-066, which operates an extortion operation known as Pink.

    Okta says that O-UNC-066 has been targeting users at organizations in the food and beverage, technology, healthcare, automotive, construction, and aviation industries.

    The security upgrade ruse

    During the campaign, targeted employees are contacted by phone under the pretext that they must enroll a new Microsoft Entra passkey for security reasons and are directed to phishing URLs that contain the word “passkey” in the domain name.

    The malicious websites include the victim organization’s branding and mimic the real Entra passkey enrollment portal.

    Unlike the more common adversary-in-the-middle (AiTM) proxy, the kit is an operator-controlled PHP panel in which the attacker guides the victim through the phishing process in real time, adapting the flow based on the multi-factor authentication (MFA) method used.

    “[The phishing kit] is an operator-controlled PHP panel in which a threat actor steers victims through various stages of authentication in close to real-time using a 1-second heartbeat polling mechanism,” explains Okta.

    “The operator can use the kit to adapt the user experience to each victim’s MFA requirements (TOTP, push notification with number matching, SMS OTP) during the session.”

    Credentials and MFA responses entered by the victim in the kit’s screens are relayed to the operator, who uses them to authenticate to the victim’s Microsoft account.

    Fake passkey creation page
    Fake passkey creation page
    Source: Okta

    While the victim believes they are registering a new passkey on their accounts, the attacker is actually registering a passkey they control.

    After gaining access, the phishing site presents the victim with fake Microsoft-branded passkey registration pages, prompting them to save a fake BIP-39 recovery phrase and confirm one word from it.

    Fake recovery phrase
    Fake recovery phrase
    Source: Okta

    Okta notes that BIP-39 seed phrases don’t have any role in legitimate Microsoft Entra passkey enrollment, but could serve as a distraction for users who are unfamiliar with the process.

    Pink extortion gang

    According to Palo Alto Networks Unit 42, Pink is a new extortion brand affiliated with the decentralized threat network known as The Com (short for The Community).

    The threat actor is known for using vishing (voice phishing) and IT impersonation to collect credentials and multi-factor authentication (MFA) codes, which are used in attacks that steal company data.

    The Pink threat group launched an extortion site on May 31, where they publish samples of the stolen data to pressure compromised victims into paying a ransom.

    The Pink extortion site
    The Pink extortion site
    Source: Okta

    Researchers say that after gaining access to a victim’s account, Pink moves quickly to exfiltrate data from SharePoint and OneDrive services.

    Brad Duncan, Principal Threat Researcher at Palo Alto Networks Unit 42, noted in early June that some of the phishing domains used by Pink included the word “passkey.”

    Okta recommends that organizations establish methods to better verify the identity of helpdesk personnel when contacting users, as well as deny requests from locations where the company does not offer services.


    article image

    Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.

    The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

    Get the whitepaper



    Source link

    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    Previous Article3 Ways AI Powers Service Desk Attacks and How to Prevent Them
    Next Article Meta Patents AI Device That Tracks Your Emotions, Watches You Take Your Meds
    admin
    • Website

    Related Posts

    News

    Meta Patents AI Device That Tracks Your Emotions, Watches You Take Your Meds

    July 8, 2026
    News

    3 Ways AI Powers Service Desk Attacks and How to Prevent Them

    July 8, 2026
    News

    We Are Living in a ‘ChatGPT Flyer Pandemic’

    July 8, 2026
    Add A Comment

    Comments are closed.

    Demo
    Top Posts

    Catchy & Intriguing

    March 17, 202677 Views

    The Canadian Password Playbook: Navigating Compliance and Building Strong Passwords

    March 25, 202633 Views

    IP Address Investigations and Local OSINT

    March 20, 202633 Views
    Stay In Touch
    • Facebook
    • YouTube
    • TikTok
    • WhatsApp
    • Twitter
    • Instagram
    Latest Reviews
    85
    Featured

    Pico 4 Review: Should You Actually Buy One Instead Of Quest 2?

    January 15, 2021 Featured
    8.1
    Uncategorized

    A Review of the Venus Optics Argus 18mm f/0.95 MFT APO Lens

    January 15, 2021 Uncategorized
    8.9
    Editor's Picks

    DJI Avata Review: Immersive FPV Flying For Drone Enthusiasts

    January 15, 2021 Editor's Picks

    Subscribe to Updates

    Get the latest tech news from FooBar about tech, design and biz.

    Demo
    Most Popular

    Catchy & Intriguing

    March 17, 202677 Views

    The Canadian Password Playbook: Navigating Compliance and Building Strong Passwords

    March 25, 202633 Views

    IP Address Investigations and Local OSINT

    March 20, 202633 Views
    Our Picks

    Meta Patents AI Device That Tracks Your Emotions, Watches You Take Your Meds

    July 8, 2026

    Entra passkey enrollment vishing targets Microsoft 365 users

    July 8, 2026

    3 Ways AI Powers Service Desk Attacks and How to Prevent Them

    July 8, 2026

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Facebook X (Twitter) Instagram Pinterest
    • Home
    • Technology
    • Gaming
    • Phones
    • Buy Now
    © 2026 ThemeSphere. Designed by ThemeSphere.

    Type above and press Enter to search. Press Esc to cancel.