Cybercriminals are employing sophisticated voice-based phishing attacks to deceive Microsoft 365 users into enrolling fraudulent passkeys, thereby gaining unauthorized access to their accounts. This campaign, identified by security researchers, targets various industries, including food and beverage, technology, healthcare, automotive, construction, and aviation.
The attackers initiate the scheme by registering domains that incorporate the term ‘passkey’ to lend credibility to their ruse. They then contact potential victims via phone calls, posing as legitimate security personnel, and persuade them to register a new passkey for their Microsoft account. Unsuspecting users are directed to a phishing site that meticulously replicates Microsoft’s official passkey enrollment process. Believing they are enhancing their account security, victims inadvertently grant the attackers access by enrolling the attackers’ passkey.
This method exploits Microsoft’s recent initiative to encourage passkey adoption among users. By mimicking the legitimate enrollment process, the attackers effectively bypass traditional security measures, including multi-factor authentication (MFA). Unlike conventional adversary-in-the-middle (AitM) attacks that intercept credentials and MFA tokens, this approach involves real-time manipulation through a PHP-based phishing kit. The kit allows attackers to adapt to each victim’s specific MFA requirements, such as time-based one-time passwords (TOTP), push notifications with number matching, or SMS OTPs, thereby increasing the likelihood of successful account compromise.
The attack sequence unfolds as follows:
- The phishing kit displays a loading screen while performing anti-analysis checks.
- The user is prompted to enter their username and password.
- The entered credentials are transmitted to the attacker’s control panel.
- The attacker uses these credentials to access the legitimate Microsoft sign-in page for the targeted account.
- The phishing kit presents the user with MFA challenges corresponding to their account’s security settings.
- The user provides the necessary MFA information, which is then relayed to the attacker.
Upon successful authentication, the attacker registers their own passkey to the victim’s account, granting persistent access without the need for further authentication challenges. This method not only circumvents existing security protocols but also leverages the trust users place in voice communications and the perceived legitimacy of the passkey enrollment process.
To mitigate such threats, organizations should implement comprehensive security awareness training that emphasizes the risks associated with unsolicited requests for credential updates or security enhancements. Additionally, employing advanced threat detection systems capable of identifying and blocking phishing attempts, even those that mimic legitimate processes, is crucial. Regular audits of account access logs and prompt revocation of unauthorized passkeys can further enhance security posture.
This incident underscores the evolving nature of phishing attacks, where adversaries continuously adapt their tactics to exploit new security features and user behaviors. Vigilance and proactive security measures are essential to defend against these sophisticated social engineering schemes.