TechDogs-"Microsoft Entra Passkey Enrollment Attack Exposes Enterprises To Account Hijacking"

Cyber Security

Microsoft Entra Passkey Enrollment Attack Exposes Enterprises To Account Hijacking

By TechDogs Bureau

TD NewsDesk

Updated on Mon, Jul 13, 2026

Overall Rating

A cyber extortion group is exploiting Microsoft Entra passkey enrollment as part of a sophisticated voice-phishing campaign, manipulating employees into approving attacker access and potentially registering a passkey controlled by the criminals on their Microsoft 365 accounts.

 

TL;DR

  • Okta has tracked the campaign since April 2026 under the identifier O-UNC-066.
  • Attackers impersonate IT support and direct employees to customized Microsoft Entra phishing pages.
  • The phishing kit adapts in real time to SMS codes, authenticator prompts and number-matching challenges.
  • Enterprises across six major industries have been targeted, with data theft and extortion identified as the attackers’ primary motivation.
 

How Does The Microsoft Entra Passkey Enrollment Attack Work?

According to Okta Threat Intelligence, the operation has been active since April 2026 and is connected to a data-leak site named Pink. Palo Alto Networks Unit 42 reportedly tracks the related cluster as CL-CRI-1147.

The campaign begins when an attacker calls a targeted employee while pretending to represent the organization’s IT or security team. The employee is told that they must register a new Microsoft Entra passkey and is directed to a malicious domain that commonly includes the word “passkey.”

The phishing site copies Microsoft’s interface and incorporates the targeted company’s legitimate logo, background and branding. Generic visual components are loaded from Microsoft’s content delivery network, making the page appear more convincing.

Unlike conventional adversary-in-the-middle phishing tools, the kit uses an operator-controlled PHP panel. A one-second polling mechanism lets the operator control what the victim sees and adapt the process as the legitimate Microsoft authentication flow changes.

“The operator can use the kit to adapt the user experience to each victim’s MFA requirements,” Okta said, noting that it supports time-based one-time passwords, SMS codes and push notifications with number matching.

Credentials entered into the fake portal are sent to the operator, who uses them on Microsoft’s legitimate sign-in page. The phishing site displays a processing screen while the attacker checks which multifactor authentication challenge appears and then presents a matching prompt to the victim.

Once the employee approves the challenge, the attacker gains access to the Microsoft 365 account. The victim is then shown a fake passkey registration process while the attacker may register a credential under their own control.

The kit can also display a Microsoft-branded page asking the employee to save a recovery key consisting of BIP-39 seed words. Okta said it was unaware of any legitimate role for BIP-39 phrases in Microsoft Entra passkey registration, suggesting that the page is intended to distract or reassure unfamiliar users.

Which Enterprises Are Being Targeted?

Okta observed targeting across the food and beverage, technology, healthcare, automotive, construction and aviation sectors. The researchers identified data extortion as the operation’s primary motivation, making corporate email, cloud files and other Microsoft 365 resources potential targets.

The timing strengthens the social-engineering pretext. Microsoft introduced passkey registration campaigns that allow administrators to encourage employees to enroll passkeys during sign-in, giving fraudulent enrollment calls an appearance of legitimacy.

However, the attack does not break FIDO2 passkey cryptography. Microsoft says passkeys use origin-bound public-key cryptography and are “almost impossible to phish.” Instead, the campaign targets weaker authentication methods and employee trust during the enrollment stage.

Microsoft requires users to complete MFA within five minutes before registering a passkey. Administrators can also enforce authenticator attestation, restrict approved models or providers, delete unauthorized passkeys and apply phishing-resistant authentication strengths through Conditional Access.

The incident highlights an emerging enterprise security challenge: even phishing-resistant credentials can be undermined when attackers compromise the process used to issue them.

First published on Mon, Jul 13, 2026

Liked what you read? That’s only the tip of the tech iceberg!

Explore our vast collection of tech articles including introductory guides, product reviews, trends and more, stay up to date with the latest news, relish thought-provoking interviews and the hottest AI blogs, and tickle your funny bone with hilarious tech memes!

Plus, get access to branded insights from industry-leading global brands through informative white papers, engaging case studies, in-depth reports, enlightening videos and exciting events and webinars.

Dive into TechDogs' treasure trove today and Know Your World of technology like never before!

Disclaimer - Reference to any specific product, software or entity does not constitute an endorsement or recommendation by TechDogs nor should any data or content published be relied upon. The views expressed by TechDogs' members and guests are their own and their appearance on our site does not imply an endorsement of them or any entity they represent. Views and opinions expressed by TechDogs' Authors are those of the Authors and do not necessarily reflect the view of TechDogs or any of its officials. While we aim to provide valuable and helpful information, some content on TechDogs' site may not have been thoroughly reviewed for every detail or aspect. We encourage users to verify any information independently where necessary.

Loading comments...

  • Dark
  • Light