Ethical Hacking News
Hackers are exploiting Microsoft 365 passkey enrollment processes to gain unauthorized access to user accounts. Using fake security requests and voice-based phishing schemes, attackers are tricking users into enrolling a new Entra passkey, allowing them to carry out data extortion attacks. This novel tactic has emerged as part of a broader strategy by threat actors to target organizations across multiple sectors.
Hackers are exploiting Microsoft 365 passkey enrollment processes to gain unauthorized access to user accounts. Threat actors use fake security requests and voice-based phishing schemes to trick users into enrolling a new Entra passkey. Attackers can carry out data extortion attacks using this tactic, targeting organizations across multiple sectors. The phishing kit used in these attacks appears to prey on lack of user familiarity with passkey authentication. The development of this phishing kit coincides with Microsoft's attempt to drive passkey adoption at scale.
In an increasingly sophisticated cyber threat landscape, a new modus operandi (MO) has emerged where hackers are exploiting Microsoft 365 passkey enrollment processes to gain unauthorized access to user accounts. This novel tactic involves the use of fake security requests, which prompt users to enroll a new Entra passkey, thereby allowing attackers to carry out data extortion attacks.
According to recent findings, threat actors have been targeting organizations across multiple sectors, including food and beverage, technology, healthcare, automotive, construction, and aviation industries. These threats are being carried out using voice-based phishing (vishing) schemes, where the attacker registers domains that incorporate the word "passkey" as part of the scheme.
The attackers then call targeted users on the phone, attempting to persuade them that they need to register a new passkey. Once the user has been convinced, they are directed to a phishing kit that is identical to the Microsoft 365 passkey enrollment process. This gives the impression that the user is adding a passkey with Microsoft, when in reality, the attacker registers their own passkey against their Microsoft account, granting them unauthorized access.
This new phishing kit is an operator-controlled PHP panel, which guides the victim through the passkey enrollment process in almost real-time. The operator can use this kit to adapt the user experience to each victim's MFA requirements (TOTP, push notification with number matching, SMS OTP) during the session.
The entire sequence of actions is as follows:
1. The first page of the phishing kit (/gate) displays a page loading icon while the phishing kit performs anti-analysis checks in the background.
2. The second page (/identify) requests a username.
3. The next page (/password) challenges the user for a password.
4. The harvested credentials are sent in a POST request to an operator panel at "/backend.php."
5. The phishing kit operator enters the stolen credentials on the legitimate Microsoft sign-in page for the targeted tenant.
6. The victim sees a "/processing" page that serves another loading screen as it awaits the operator's instruction based on the observed MFA challenges presented to them in the legitimate flow.
7. The next page of the phishing kit is presented to the user: "/submit-otp" for an SMS-based one-time password (OTP) challenge, "/submit-authenticator" for time-based OTP challenge, or "/approve-authenticator" for a push MFA challenge.
8. The captured OTP is sent in a POST request to "/backend.php."
9. At this point, the victim has been deceived over the phone into approving the attacker's access to their Microsoft 365 account. The attack chain then initiates another set of actions focused around the passkey pretext.
It is worth noting that this phishing kit appears to prey on lack of user familiarity with passkey authentication. In a real passkey registration ceremony, the user might expect a system dialog to register a passkey on their device. However, the phishing kit used in these attacks appears to mimic this process without registering a passkey.
The development of this phishing kit coincides with Microsoft allowing administrators to configure registration campaigns to nudge users to register passkeys during sign-in in an attempt to help organizations drive passkey adoption at scale. This has created an opportunity for threat actors to abuse the phishing-resistant security upgrade process as a lure to enroll their own passkeys within victims' accounts and facilitate follow-on activities.
In addition, it is suspected that the threat actor linked to O-UNC-066 has been operating a data leak site since April 2026 under the name Pink. Palo Alto Networks Unit 42 is tracking this cluster as CL-CRI-1147, describing it as affiliated with a decentralized cybercrime collective known as The Com, of which Scattered Spider, ShinyHunters, and LAPSUS$ are part of.
Hackers are exploiting Microsoft 365 passkey enrollment processes to gain unauthorized access to user accounts. Using fake security requests and voice-based phishing schemes, attackers are tricking users into enrolling a new Entra passkey, allowing them to carry out data extortion attacks. This novel tactic has emerged as part of a broader strategy by threat actors to target organizations across multiple sectors.
Related Information:
https://www.ethicalhackingnews.com/articles/Hackers-Leverage-Microsoft-365-Passkey-Enrollment-Process-for-Phishing-Attacks-ehn.shtml
https://thehackernews.com/2026/07/hackers-use-fake-microsoft-entra.html
Published: Fri Jul 10 07:42:08 2026 by llama3.2 3B Q4_K_M