Close Menu
    What's Hot

    Wimbledon: Alfie Hewett and Gordon Reid win seventh wheelchair doubles title defeating Gustavo Fernandez and Tokito Oda in three sets | Tennis News

    Trump Justifies $2 Billion Made as President With Inaccurate Claims

    Sheinbaum takes on cartels, Trump and the legacy of 1968 | Features

    Facebook X (Twitter) Instagram
    Trending
    • Wimbledon: Alfie Hewett and Gordon Reid win seventh wheelchair doubles title defeating Gustavo Fernandez and Tokito Oda in three sets | Tennis News
    • Trump Justifies $2 Billion Made as President With Inaccurate Claims
    • Sheinbaum takes on cartels, Trump and the legacy of 1968 | Features
    • Inside the Canadian Lab Burning Down Buildings to Save Them
    • Beatbot AquaSense X Review: A Pool Robot That Cleans Itself
    • Hackers Use Fake Microsoft Entra Passkey Enrollment to Gain Microsoft 365 Access
    • Housing market shift explained—and where it’s happening the quickest
    • Opinion | In Sudan, a Preventable Atrocity
    interluknewsinterluknews
    • Home
    • Business
      • Corporate News
      • Industry Insights
      • Startups & Entrepreneurship
      • Technology & Innovation
    • Economy
      • Economic Policy
      • Financial Analysis
      • Inflation & Interest Rates
      • Trade & Markets
    • Global
      • Conflicts & Security
      • Diplomacy
      • Global Trends
      • International Affairs
    • Lifestyle
      • Fashion
      • Food & Dining
      • Personal Development
      • Travel
    • Opinion
      • Columns
      • Editorials
      • Expert Opinions
      • Reader Voices
    • More
      • Politics
        • Elections
        • Government & Policy
        • International Relations
        • Political Analysis
      • Sports
        • Cricket
        • Football / Soccer
        • International Sports
        • Local Sports
      • Technology
        • Artificial Intelligence
        • Cybersecurity
        • Gadgets & Reviews
        • Tech News
      • South Africa News
    Facebook X (Twitter) Instagram
    interluknewsinterluknews
    Cybersecurity

    Hackers Use Fake Microsoft Entra Passkey Enrollment to Gain Microsoft 365 Access

    adminBy adminJuly 11, 2026No Comments4 Mins Read
    Share Facebook Twitter Pinterest Copy Link Telegram LinkedIn Tumblr Email
    Hackers Use Fake Microsoft Entra Passkey Enrollment to Gain Microsoft 365 Access
    Share
    Facebook Twitter LinkedIn Pinterest Email

    Ravie LakshmananJul 10, 2026Enterprise Security / Authentication

    Hackers Use Fake Microsoft Entra Passkey Enrollment to Gain Microsoft 365 Access

    A threat actor has been targeting organizations spanning multiple sectors with voice-based fake security requests that prompt Microsoft 365 users to enroll a new Entra passkey with an aim to carry out data extortion attacks.

    The threat actor, tracked by Okta under the moniker O-UNC-066, has deployed a panel-controlled phishing kit that’s capable of targeting the passkey enrollment process. The activity has singled out food and beverage, technology, healthcare, automotive, construction, and aviation industries.

    “The threat actor registers domains that incorporate the word passkey as part of a voice-enabled phishing (‘vishing’) scheme,” Okta researcher Houssem Eddine Bordjiba said. “The threat actor then calls targeted users on the phone in an attempt to persuade them that they need to register a new passkey.”

    Users are then directed to a phishing kit that’s identical to the Microsoft passkey enrollment process, giving the impression that they are adding a passkey with Microsoft, when, in reality, the threat actor registers their own passkey against their Microsoft account, granting them unauthorized access.

    Cybersecurity

    The development coincides with Microsoft allowing administrators to configure registration campaigns to nudge users to register passkeys during sign-in in an attempt to help organizations drive passkey adoption at scale. In other words, threat actors are abusing the phishing-resistant security upgrade process as a lure to enroll their own passkeys within victims’ accounts and facilitate follow-on activities.

    Unlike adversary-in-the-middle (AitM) landing pages that are prevalent in phishing campaigns designed to steal credentials and multi-factor authentication (MFA) tokens, the phishing kit used in these attacks is an operator-controlled PHP panel in which a victim is guided through the passkey enrollment process in almost real-time.

    “The operator can use the kit to adapt the user experience to each victim’s MFA requirements (TOTP, push notification with number matching, SMS OTP) during the session,” the identity security company said. “The caller can control and adjust in real time what phishing pages and notifications a targeted user sees.”

    It’s suspected that the threat actor is leveraging the kit to take over the victim account and trick the user into approving an attacker-initiated registration of a passkey. There is no indication at this stage to suggest that the kit is redirecting users to third-party identity providers like Okta.

    The entire sequence of actions is below –

    • The first page of the phishing kit (/gate) displays a page loading icon while the phishing kit performs anti-analysis checks in the background.
    • The second page (/identify) requests a username.
    • The next page (/password) challenges the user for a password.
    • The harvested credentials are sent in a POST request to an operator panel at “/backend.php.”
    • The phishing kit operator (likely different from the individual calling the victim) enters the stolen credentials on the legitimate Microsoft sign-in page for the targeted tenant.
    • The victim sees a “/processing” page that serves another loading screen as it awaits the operator’s instruction based on the observed MFA challenges presented to them in the legitimate flow.
    • The next page of the phishing kit is presented to the user: “/submit-otp” for an SMS-based one-time password (OTP) challenge, “/submit-authenticator” for time-based OTP challenge, or “/approve-authenticator” for a push MFA challenge.
    • The captured OTP is sent in a POST request to “/backend.php.”

    At this point, the victim has been deceived over the phone into approving the attacker’s access to their Microsoft 365 account. The attack chain then initiates another set of actions focused around the passkey pretext –

    • The victim is redirected to the “/passkey/register” page, which instructs the user to create a passkey.
    • The Microsoft-branded “/passkey” page prompts the user to save their recovery key for confirming their passkey.
    • The “/passkey/check” page asks the user to verify the final word used in the seed phrase.
    • The “/done” page confirms that a passkey registration was successful.
    Cybersecurity

    The recovery key contains a series of 12 words that’s similar to secret recovery phrase or mnemonic phrase typically associated with cryptocurrency wallets. The step is assessed to be a distraction mechanism to keep the victim occupied with the task, while they enrolled their own passkey in the Microsoft account.

    “The phishing kit appears to prey on lack of user familiarity with passkey authentication,” Okta explained. “In a real passkey registration ceremony, the user might expect a system dialog to register a passkey on their device. The passkey pages in this phishing kit appear to mimic this process without registering a passkey.”

    Okta noted that a threat actor linked to O-UNC-066 has been operating a data leak site since April 2026 under the name Pink. Palo Alto Networks Unit 42 is tracking this cluster as CL-CRI-1147, describing it as affiliated with a decentralized cybercrime collective known as The Com, of which Scattered Spider, ShinyHunters, and LAPSUS$ are part of.

    access Enrollment Entra fake Gain hackers Microsoft Passkey
    Follow on Google News Follow on Flipboard
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
    Previous ArticleHousing market shift explained—and where it’s happening the quickest
    Next Article Beatbot AquaSense X Review: A Pool Robot That Cleans Itself
    admin
    • Website

    Related Posts

    Critical Zimbra Flaw Could Let Crafted Emails Run Malicious Code in User Sessions

    July 11, 2026

    Study of 281 Free Android VPN Apps Finds Traffic Leaks, Unencrypted Data, and Tracking

    July 11, 2026

    Exposed Hacker Server Reveals WP-SHELLSTORM Backdooring Thousands of WordPress Sites

    July 11, 2026
    Leave A Reply Cancel Reply

    Demo
    Latest Posts

    Wimbledon: Alfie Hewett and Gordon Reid win seventh wheelchair doubles title defeating Gustavo Fernandez and Tokito Oda in three sets | Tennis News

    Trump Justifies $2 Billion Made as President With Inaccurate Claims

    Sheinbaum takes on cartels, Trump and the legacy of 1968 | Features

    Inside the Canadian Lab Burning Down Buildings to Save Them

    Latest Posts

    Subscribe to News

    Get the latest sports news from NewsSite about world, sports and politics.

    Advertisement
    Demo

    We are a digital news platform delivering timely, accurate, and insightful coverage of politics, global affairs, business, economy, sports, and more. Our mission is to keep readers informed with reliable news, clear analysis, and stories that truly matter.
    We're social. Connect with us:

    Facebook X (Twitter) Instagram Pinterest YouTube

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Type above and press Enter to search. Press Esc to cancel.

    Powered by
    ...
    ►
    Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
    None
    ►
    Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
    None
    ►
    Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
    None
    ►
    Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
    None
    ►
    Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
    None
    Powered by