Hackers Abuse Microsoft Entra Passkey Enrollment to Hijack Enterprise Accounts | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker


Cybercriminals have found a new way to hijack corporate Microsoft accounts by exploiting the very feature meant to protect them: passkeys.

A threat group tracked as O UNC 066, also called Pink by Palo Alto Networks Unit 42, has run a phone based phishing campaign since April 2026 that tricks employees into registering an attacker controlled passkey on their own accounts.

The scheme mixes social engineering with a custom phishing kit. Attackers call employees directly and convince them their account needs a new passkey, a message that sounds routine given Microsoft’s recent push to nudge users toward passwordless sign in.

The victim is guided to a fake login page mirroring their own company’s branding. Behind that page sits an operator controlled panel rather than a fully automated tool.

A live attacker walks each victim through the process step by step, adapting fake screens depending on whether the account uses SMS codes, authenticator app prompts, or push notifications.

This real time control makes the attack harder to catch through automated defenses. Security researchers from Okta identified and detailed this campaign, noting the group’s main goal appears to be data theft for extortion rather than immediate financial fraud.

Okta said in a report shared with Cyber Security News (CSN) that the attackers have already been linked to a public data leak site used to pressure victims.

The O-UNC-066 Microsoft sign-in page (Source – Okta)

Affected industries span food and beverage, technology, healthcare, automotive, construction, and aviation. What makes this campaign notable is how it turns a security upgrade into a weapon.

Rather than stealing a password once and moving on, attackers use the fake enrollment to plant a persistent foothold inside the account, one that can outlast a password reset.

Hackers Abuse Microsoft Entra Passkey Enrollment

The attack begins when a target gets a call from someone posing as IT support, insisting a new passkey must be registered. The caller sends a link containing the word passkey, hosted on a domain built to look official.

Once opened, the kit walks the victim through a sequence copying Microsoft’s real sign in flow. A loading screen appears first, followed by a request for the username and password.

Those credentials are captured and sent to the attacker’s backend panel, letting the operator log into the real account within seconds.

Depending on which multi factor method the account uses, the victim sees a matching fake screen, whether a one time code prompt, an authenticator app number match, or an SMS page.

The attacker relays whatever code the real system requests, using the victim as an unwitting proxy to defeat their own MFA protection.

Once past authentication, the kit shifts into its final act. It shows a passkey setup screen and asks the victim to save a recovery phrase built from BIP 39 style words, a technique borrowed from cryptocurrency wallets.

This step does nothing for the account. It exists purely to occupy attention while the attacker registers their own passkey in the background.

A final confirmation screen tells the victim their passkey was successfully created, reinforcing the illusion.

Since Microsoft sends a legitimate notification when a new passkey is added, victims often dismiss that email, believing they completed the process themselves.

Researchers noted the kit does not interact with third party identity providers, so organizations using external federation have not shown signs of direct compromise.

Any organization relying on native authentication alone remains at risk. To limit exposure, security teams should enroll users in phishing resistant authenticators and train staff to verify the identity of anyone claiming to be from IT support before acting on instructions.

The O-UNC-066 passkey registration page (Source - Okta)
The O-UNC-066 passkey registration page (Source – Okta)

Restricting account access by device status, geography, and network context can also reduce takeover risk.

Organizations should configure alerts for every authenticator lifecycle event so unexpected passkey registrations get flagged immediately.

Given how convincingly this kit imitates a routine update, staff awareness on passkey scams may prove just as valuable as technical controls.

Indicators of compromise (IoCs):-

TypeIndicatorDescription
Domainassignpasskey[.]comRegistered 2026-06-14 (Internet Domain Service BS Corp, DDoS-Guard); used to host per-victim phishing subdomains 
Domaindeploypasskey[.]comRegistered 2026-04-21 (Tucows, DDoS-Guard); used to host per-victim phishing subdomains 
Domainpasskeydeploy[.]comRegistered 2026-04-23 (Internet Domain Service BS Corp, DDoS-Guard); used to host per-victim phishing subdomains 
Domainpasskeyadd[.]comRegistered 2026-05-08 (Tucows, DDoS-Guard); used to host per-victim phishing subdomains 
Domainsetpasskey[.]comRegistered 2026-05-23 (IQWeb FZ-LLC); used to host per-victim phishing subdomains 
InfrastructureAS57724 (DDoS-Guard, Russia)Autonomous System hosting phishing infrastructure 
InfrastructureAS59692 (IQWeb FZ-LLC, US)Autonomous System hosting phishing infrastructure 
URL Path/gateInitial phishing kit landing page performing anti-analysis checks 
URL Path/identifyPage requesting the victim’s username 
URL Path/passwordPage requesting the victim’s password, POSTed to /backend.php 
URL Path/backend.phpOperator backend panel receiving stolen credentials and OTPs 
URL Path/processingLoading page shown while the operator authenticates with stolen credentials 
URL Path/submit-otpPage capturing SMS one-time passcodes 
URL Path/submit-authenticatorPage capturing TOTP authenticator codes 
URL Path/approve-authenticatorPage prompting victim to approve a push MFA number match 
URL Path/passkey/registerPage initiating the fake passkey registration flow 
URL Path/passkeyPage displaying a fake BIP-39 style recovery phrase 
URL Path/passkey/checkPage verifying the final word of the fake recovery phrase 
URL Path/doneFinal confirmation page falsely indicating successful passkey setup 

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Prevent critical incidents and financial loss with stronger proactive defense. Integrate a live threat feed from 15K SOC Teams.



Click Here For The Original Source.

——————————————————–

..........

.

.

National Cyber Security

FREE
VIEW