Fake Entra passkey enrollment calls target Microsoft 365 users in new vishing wave
By
Mr Bagel
A threat actor linked to a known extortion operation is using voice phishing to trick Microsoft 365 users into enrolling a fraudulent Entra passkey, according to separate reports from BleepingComputer and a security researcher. The campaign impersonates legitimate IT security requests, directing victims to phishing sites that steal credentials and multi-factor authentication responses.
BleepingComputer reported that the attackers call victims claiming they need to enroll a new passkey for Microsoft Entra, then route them to fake enrollment pages. The campaign targets organizations across multiple sectors, and after account takeover, the threat actor rapidly exfiltrates data from Microsoft services.
Security researcher hendryadrian.com tracked the activity to a group designated O-UNC-066, which is also associated with the Pink extortion operation. Okta attributed the campaign to this group, which uses vishing to bypass MFA protections.
"The attackers call victims claiming they need to enroll a new passkey, then direct them to phishing sites mimicking legitimate Entra enrollment pages to steal credentials and MFA responses."
This real-time credential theft allows the actor to immediately compromise accounts and move laterally within targeted Microsoft 365 environments. Both sources emphasize that the social engineering is sophisticated, using voice calls that sound urgent and official.
BleepingComputer noted that the threat actor's speed of data exfiltration after takeover is a key concern for defenders. The campaign underscores how attackers are adapting to authentication advances like passkeys by targeting the human enrollment process itself.
The reporting
2 outlets covered this story. Each links to the original.
Baker's Take
Comments
Sign in to join the conversation.
No comments yet. Be the first.