Hackers Exploit Microsoft Entra Passkey Enrollment to Hijack Accounts

Cybercriminals have devised a sophisticated scheme to compromise corporate Microsoft 365 accounts by exploiting the passkey enrollment feature in Microsoft Entra. This campaign, active since April 2026, involves attackers impersonating internal security personnel to deceive employees into registering attacker-controlled passkeys on their accounts.

The attackers initiate the scheme by placing voice calls to targeted employees, claiming that a new passkey registration is necessary for enhanced security. Leveraging Microsoft’s recent initiatives to promote passwordless authentication, this request appears legitimate to unsuspecting users. The victims are then directed to a phishing website that closely mimics Microsoft’s genuine passkey enrollment interface.

Once on the fraudulent site, victims are prompted to enter their Microsoft 365 credentials and complete multi-factor authentication (MFA) challenges. The phishing kit is designed to adapt to various MFA methods, including time-based one-time passwords (TOTP), push notifications with number matching, and SMS one-time passwords (OTP). This adaptability allows the attacker to capture the necessary authentication details in real-time.

After successfully obtaining the credentials and MFA responses, the attacker registers a passkey under their control on the victim’s account. To further deceive the user, the phishing site presents a fake recovery phrase, resembling those used in cryptocurrency wallets, which serves no functional purpose but adds an air of legitimacy to the process.

Security researchers have attributed this campaign to a threat actor tracked as O-UNC-066, associated with the Pink extortion operation. The primary objective appears to be data theft for extortion purposes, with compromised accounts being used to exfiltrate sensitive information from platforms like SharePoint and OneDrive. Affected industries include food and beverage, technology, healthcare, automotive, construction, and aviation.

This attack underscores the importance of continuous vigilance and user education in the face of evolving social engineering tactics. Organizations should implement robust security measures, such as regular employee training on phishing awareness, stringent verification processes for security-related requests, and monitoring for unusual account activities. Additionally, reviewing and updating authentication policies to detect and prevent unauthorized passkey registrations can help mitigate such threats.