Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Microsoft Uses AI Scanning to Discover Vulnerabilities Pre-Exploit
July 9, 2026
AI-Powered Attack Breaches AWS Cloud Environment in 72 Hours
July 9, 2026
Critical Roundcube 0-Click Vulnerability Lets Attackers Inject Stored XSS
July 9, 2026
Home/Threats/Critical Microsoft Entra ID Flaw Lets Attackers Hijack Accounts
Threats

Critical Microsoft Entra ID Flaw Lets Attackers Hijack Accounts

Key Takeaways A sophisticated phishing campaign, active since April 2026, targets corporate Microsoft Entra ID accounts. Threat group O UNC 066 (also known as Pink) employs vishing and a custom...

Jennifer sherman
Jennifer sherman
July 9, 2026 5 Min Read
2 0

Key Takeaways

  • A sophisticated phishing campaign, active since April 2026, targets corporate Microsoft Entra ID accounts.
  • Threat group O UNC 066 (also known as Pink) employs vishing and a custom phishing kit to trick employees into registering attacker-controlled passkeys.
  • The attack leverages social engineering and real-time operator interaction to bypass multi-factor authentication (MFA) and establish persistent access.
  • Multiple industries, including food and beverage, technology, healthcare, automotive, construction, and aviation, have been targeted.
  • The primary goal of the attackers appears to be data theft for extortion, with links to public data leak sites.

Cybercriminals are actively exploiting a critical vulnerability in Microsoft Entra ID, weaponizing the very security feature designed to enhance account protection: passkeys. A persistent threat group, identified as O UNC 066 (and by Palo Alto Networks Unit 42 as Pink), has been orchestrating a cunning phone-based phishing campaign since April 2026. This campaign manipulates employees into unwittingly registering a passkey controlled by the attackers on their own corporate Microsoft accounts.

Table Of Content

  • Key Takeaways
  • The Deceptive Attack Flow
  • Hackers Abuse Microsoft Entra Passkey Enrollment
  • Infrastructure And Recommended Defenses
  • What You Should Do

This sophisticated operation combines social engineering tactics with a bespoke phishing kit. Attackers directly call employees, convincing them of an urgent need to register a new passkey. This message often resonates with users due to Microsoft’s ongoing efforts to promote passwordless sign-in methods, making the fraudulent request appear legitimate. The full details of this campaign are elaborated in a comprehensive report.

The Deceptive Attack Flow

The victim is directed to a meticulously crafted fake login page that mirrors their company’s legitimate branding. Unlike fully automated phishing tools, this kit operates with a live attacker at the helm, managing an operator-controlled panel. This human interaction allows the attacker to guide the victim through each step of the process in real-time, dynamically adjusting the fake screens based on the victim’s specific multi-factor authentication (MFA) method, whether it involves SMS codes, authenticator app prompts, or push notifications.

This real-time, adaptive approach significantly enhances the attack’s effectiveness, making it challenging for automated security defenses to detect and block. Security researchers from Okta, who identified and documented this campaign, noted that the group’s primary objective seems to be data exfiltration for extortion purposes, rather than immediate financial fraud. Okta said in a report shared with Cyber Security News (CSN) that the attackers have already been linked to a public data leak site used to pressure victims.

The affected sectors are broad, encompassing critical industries such as food and beverage, technology, healthcare, automotive, construction, and aviation. The distinctive nature of this campaign lies in its ability to transform a security enhancement into a persistent weapon. Instead of merely stealing a one-time password, the attackers establish a lasting foothold within the compromised account via the illicitly registered passkey, an access mechanism that can survive even a password reset.

Hackers Abuse Microsoft Entra Passkey Enrollment

The attack sequence commences with a phone call to the target from an individual impersonating IT support, asserting the necessity of registering a new passkey. The caller then sends a link containing the word “passkey,” hosted on a domain meticulously designed to appear official. Upon accessing this link, the custom phishing kit initiates a multi-stage process that faithfully replicates Microsoft’s authentic sign-in flow. A loading screen first appears, followed by a request for the user’s username and password.

These stolen credentials are immediately transmitted to the attacker’s backend control panel, enabling the operator to gain access to the legitimate account within moments. The phishing kit then adapts its display based on the victim’s configured MFA method. Whether the account uses a one-time code prompt, an authenticator app number match, or an SMS page, the victim is presented with a corresponding fake screen. The attacker acts as a real-time intermediary, relaying the required authentication code from the legitimate system to the unwitting victim, thereby bypassing the MFA protection.

Once past the authentication phase, the phishing kit executes its final maneuver. It presents a passkey setup screen and instructs the victim to save a recovery phrase, which is deliberately designed using BIP 39-style words, a technique commonly associated with cryptocurrency wallets. This step serves no legitimate purpose for the account; its sole function is to divert the victim’s attention while the attacker covertly registers their own passkey in the background. A final confirmation screen then falsely assures the victim that their passkey has been successfully created, solidifying the deception. Compounding the issue, Microsoft typically sends a legitimate notification when a new passkey is added, which victims often disregard, believing it confirms their own action.

Infrastructure And Recommended Defenses

Researchers have noted that the phishing kit does not interact with third-party identity providers, suggesting that organizations utilizing external federation services may not be directly susceptible to this particular compromise method. However, any organization relying solely on native authentication within Microsoft Entra ID remains vulnerable. To mitigate exposure, security teams are strongly advised to enroll users in phishing-resistant authenticators and to implement robust security awareness training, emphasizing the importance of verifying the identity of anyone claiming to be from IT support before complying with instructions. Furthermore, restricting account access based on device status, geographical location, and network context can significantly reduce the risk of account takeover.

Organizations should also configure alerts for all authenticator lifecycle events. This ensures that any unexpected passkey registrations are immediately flagged for investigation. Given the highly convincing nature of this phishing kit, which expertly mimics routine security updates, fostering a strong culture of staff awareness regarding passkey-related scams is as crucial as implementing technical controls.

What You Should Do

  • Implement Phishing-Resistant MFA: Prioritize the deployment of FIDO2 security keys or certificate-based authentication, which are inherently resistant to phishing.
  • Enhance Employee Training: Conduct regular, targeted training sessions on vishing (voice phishing) and passkey-related scams. Educate employees on how to verify IT support requests and report suspicious communications.
  • Monitor Authenticator Lifecycle Events: Configure alerts in Microsoft Entra ID for all passkey and authenticator registration events. Investigate any unexpected or unauthorized registrations immediately.
  • Restrict Access with Conditional Access Policies: Implement Conditional Access policies to restrict account access based on factors like device compliance, trusted network locations, and geographical regions.
  • Review and Audit Existing Passkeys: Regularly audit registered passkeys for all user accounts, especially those with elevated privileges, to identify and remove any unauthorized entries.
  • Be Skeptical of Urgent Requests: Advise employees to be highly suspicious of any unsolicited calls or messages demanding immediate action regarding their account security, especially those involving new passkey registrations.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitHackerphishingSecurityThreat

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

Critical Linux Kernel Flaw Allows Root Access via DRM Render Nodes

Next Post

Critical Roundcube 0-Click Vulnerability Lets Attackers Inject Stored XSS

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical HP Linux Printing Bug (CVE-2023-1704) Lets Attackers Run Code
July 9, 2026
Fake Paysafe, Skrill, Neteller Packages Steal API Keys and Tokens
July 9, 2026
Windows Update Installs LG Monitor App Pushing McAfee Ads
July 9, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us