A threat actor has been targeting organizations across multiple sectors with voice-based fake security requests that ask Microsoft 365 users to enroll a new Entra passkey.
The attacker is taking advantage of a new capability Microsoft opened to administrators in May, allowing them to run “passkey registration campaigns” to entice users to enrol passkeys for more secure authentication.
The campaign has been running since April and involves calling targeted users and trying to convince them to register a new passkey under the attacker's control.
To mask the deception, the hacker directs victims to a phishing kit that imitates the legitimate Microsoft passkey enrollment process.
Cloud-based identity and access management (IAM) company Okta attributes the activity to an actor it tracks as O-UNC-066, which operates an extortion operation known as Pink.
Okta says that O-UNC-066 has been targeting users at organizations in the food and beverage, technology, healthcare, automotive, construction, and aviation industries.
The security upgrade ruse
During the campaign, targeted employees are contacted by phone under the pretext that they must enroll a new Microsoft Entra passkey for security reasons and are directed to phishing URLs that contain the word “passkey” in the domain name.
The malicious websites include the victim organization’s branding and mimic the real Entra passkey enrollment portal.
Unlike the more common adversary-in-the-middle (AiTM) proxy, the kit is an operator-controlled PHP panel in which the attacker guides the victim through the phishing process in real time, adapting the flow based on the multi-factor authentication (MFA) method used.
... continue reading