Hackers Abuse Microsoft Entra Passkey Enrollment to Hijack Enterprise Accounts


A threat actor is using voice phishing to trick Microsoft 365 users into registering attacker-controlled passkeys on their enterprise accounts, according to a new Okta Threat Intelligence report.

The campaign targets Microsoft Entra passkey enrollment, a legitimate security process designed to move users toward phishing-resistant authentication. Attackers do not break passkeys directly. Instead, they persuade employees to follow a fake enrollment flow while a live operator signs in to the real Microsoft account and registers a passkey controlled by the attacker.

Okta tracks the activity as O-UNC-066. Palo Alto Networks Unit 42 has also linked the broader Pink extortion brand to vishing-led initial access and data theft operations, according to a Unit 42 threat intelligence note.

What the attackers are doing

The attack starts with a phone call. The caller poses as IT support or a security team member and tells the employee that they need to register a new passkey for their Microsoft account.

This pretext works because Microsoft has been pushing organizations toward passwordless sign-in. Microsoft’s own registration campaign guidance explains how administrators can nudge users to set up passkeys or Microsoft Authenticator during sign-in.

The victim receives a phishing link hosted on a passkey-themed domain. The site copies Microsoft sign-in pages and can use the victim organization’s branding, which makes the process look like a normal company security update.

Attack stageWhat the victim seesWhat the attacker does
Phone callA caller claiming to be from IT supportBuilds trust and creates urgency
Fake login pageA Microsoft-style sign-in page with company brandingCollects the username and password
MFA promptA screen matching SMS, TOTP, or push approvalRelays the MFA challenge to access the real account
Fake passkey setupA passkey registration page and recovery phrase promptRegisters an attacker-controlled passkey in the real account
ConfirmationA message saying the passkey was createdLeaves the victim believing the enrollment was legitimate

Why the attack is effective

The phishing kit is not a standard transparent adversary-in-the-middle proxy. Okta says it uses an operator-controlled PHP panel where a live attacker steers the victim through each phase of authentication in near real time.

That live control matters. If the real Microsoft sign-in flow asks for an SMS code, the victim sees a fake SMS prompt. If it asks for an authenticator code or a number-matching push approval, the phishing page changes to match that method.

Microsoft describes passkeys as phishing-resistant credentials that use FIDO2 standards, WebAuthn in browsers, and CTAP for authenticator communication in its Microsoft Entra passkey documentation. This campaign works around that strength by compromising the enrollment moment, not by stealing an existing passkey secret.

The fake recovery phrase is a distraction

After the attacker gets through the login and MFA stages, the phishing site moves to a fake passkey setup screen. It asks the victim to save a recovery phrase made from BIP-39-style words.

That phrase does not apply to Microsoft Entra passkey registration. Okta says the fake phrase likely serves as a distraction while the attacker registers their own passkey in the legitimate Microsoft account.

The victim may then receive a real Microsoft email saying a new passkey was added. Because the fake site just told them the setup succeeded, they may dismiss the notification instead of reporting it.

Who is being targeted

Okta says the campaign has targeted enterprise organizations in food and beverage, technology, healthcare, automotive, construction, and aviation. The activity has been observed since April 2026.

The main goal appears to be data extortion. Okta linked the activity to a public leak site used to pressure victims, while the Pink extortion activity note from Unit 42 says the brand uses vishing for initial access and extortion.

The campaign also reflects a wider shift in enterprise intrusion activity. Many extortion groups now focus on cloud data theft and account takeover instead of deploying ransomware encryption.

Why passkey enrollment became a useful lure

Passkeys remain a strong security control when users and administrators enroll them correctly. Microsoft says passkeys can reduce prompts, remove passwords from sign-in, and provide phishing-resistant authentication through public key cryptography.

The O-UNC-066 MFA challenge page (Source – Okta)

The problem comes from user confusion during enrollment. Many employees still do not know what a legitimate passkey setup flow should look like, which gives callers room to invent a convincing process.

Microsoft’s passkey registration campaign documentation also shows why this timing matters. Users can legitimately see prompts during sign-in, so attackers can imitate a familiar security nudge with less resistance.

  • Passkeys protect sign-in when the real enrollment process stays under the user’s and organization’s control.
  • Voice phishing can convince users to approve the attacker’s authentication attempt.
  • Fake branding makes the phishing page feel internal and expected.
  • A real passkey notification may look harmless if the victim believes they just completed setup.
  • An attacker-controlled passkey can outlast a password reset if defenders do not remove it.

Indicators linked to the campaign

Okta listed several domains and URL paths associated with the phishing infrastructure. Security teams can use these indicators for hunting, alerting, and blocking, while recognizing that attackers may rotate infrastructure quickly.

TypeIndicatorPurpose
Domainassignpasskey[.]comUsed for per-victim phishing subdomains
Domaindeploypasskey[.]comUsed for per-victim phishing subdomains
Domainpasskeydeploy[.]comUsed for per-victim phishing subdomains
Domainpasskeyadd[.]comUsed for per-victim phishing subdomains
Domainsetpasskey[.]comUsed for per-victim phishing subdomains
InfrastructureAS57724DDoS-Guard-hosted infrastructure observed by Okta
InfrastructureAS59692IQWeb FZ-LLC-hosted infrastructure observed by Okta
URL path/gateLanding page and anti-analysis checks
URL path/identifyUsername collection page
URL path/passwordPassword collection page
URL path/backend.phpOperator backend panel
URL path/passkey/registerFake passkey registration flow
URL path/doneFinal fake confirmation page

What organizations should do now

Administrators should treat unexpected passkey registration as a high-risk identity event. The key alert is not only a suspicious login, but also a new authenticator or passkey added to an account after a phone-based support interaction.

Microsoft’s passkey setup guidance notes that administrators can control whether users can register passkeys through Security info. Organizations should review those settings, especially for privileged users and sensitive departments.

Teams should also train staff to verify IT support calls through a known internal channel. A real help desk should not ask users to visit an unfamiliar passkey domain, read out MFA codes, approve unexpected number-matching prompts, or follow a caller’s live authentication instructions.

  1. Alert on every new passkey, authenticator, security key, and authentication method registration.
  2. Require phishing-resistant authentication for privileged and sensitive accounts.
  3. Restrict passkey registration by device compliance, trusted network, or managed-device status where possible.
  4. Block access from countries, ASNs, or networks where the organization does not operate.
  5. Review recent authenticator lifecycle events for suspicious registrations.
  6. Remove unknown passkeys and revoke sessions for affected accounts.
  7. Teach users that Microsoft passkey registration does not use BIP-39-style recovery phrases.

Response steps after a suspected compromise

If a user reports a suspicious passkey enrollment call, administrators should act quickly. An attacker may already have valid credentials, an approved MFA challenge, and a newly registered passkey.

Immediate response should include session revocation, password reset where applicable, removal of unfamiliar authentication methods, review of mailbox rules, and inspection of SharePoint, OneDrive, Teams, and email access logs.

The O-UNC-066 passkey registration page (Source – Okta)

Administrators should also review the Microsoft Entra passkey model with help desk and security teams so they understand the difference between a legitimate platform dialog and a fake website-based recovery phrase flow.

The bigger risk

This campaign shows how attackers can weaponize security change management. A new security control can become a social engineering hook when users expect enrollment prompts but do not know how to validate them.

It also shows why identity events need the same urgency as malware alerts. In a cloud-first Microsoft 365 environment, a newly added passkey or authenticator can give an attacker durable access to email, files, chats, and business applications.

Okta’s analysis of the O-UNC-066 campaign makes one point clear: phishing-resistant authentication still needs phishing-resistant enrollment, strong help desk verification, and fast detection when authenticators change.

Organizations should continue adopting passkeys, but they should secure the rollout process as carefully as the sign-in process. The Microsoft Entra configuration guidance gives administrators the controls to shape who can register passkeys and under what conditions.

FAQ

What is the Microsoft Entra passkey enrollment phishing campaign?

It is a voice phishing campaign where attackers impersonate IT support and trick Microsoft 365 users into visiting a fake passkey enrollment page. A live operator then uses the victim’s credentials and MFA response to register an attacker-controlled passkey on the real account.

Are Microsoft Entra passkeys broken?

No. The campaign abuses the enrollment process through social engineering. Passkeys remain phishing-resistant credentials when users register them through the legitimate Microsoft flow and organizations control enrollment properly.

Who is behind the campaign?

Okta tracks the activity as O-UNC-066. The broader extortion activity is associated with Pink, a threat brand also referenced by Palo Alto Networks Unit 42.

Why does the fake site ask for a recovery phrase?

Okta says the BIP-39-style recovery phrase does not apply to Microsoft Entra passkey registration. It likely acts as a distraction while the attacker enrolls their own passkey in the legitimate Microsoft account.

How can organizations defend against this attack?

Organizations should alert on new passkey and authenticator registrations, restrict enrollment by device and network context, train users to verify IT support calls, remove unknown authenticators quickly, revoke suspicious sessions, and require phishing-resistant authentication for high-risk accounts.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages