Critical Microsoft Entra ID Flaw Lets Attackers Hijack Accounts
Key Takeaways A sophisticated phishing campaign, active since April 2026, targets corporate Microsoft Entra ID accounts. Threat group O UNC 066 (also known as Pink) employs vishing and a custom...
Key Takeaways
- A sophisticated phishing campaign, active since April 2026, targets corporate Microsoft Entra ID accounts.
- Threat group O UNC 066 (also known as Pink) employs vishing and a custom phishing kit to trick employees into registering attacker-controlled passkeys.
- The attack leverages social engineering and real-time operator interaction to bypass multi-factor authentication (MFA) and establish persistent access.
- Multiple industries, including food and beverage, technology, healthcare, automotive, construction, and aviation, have been targeted.
- The primary goal of the attackers appears to be data theft for extortion, with links to public data leak sites.
Cybercriminals are actively exploiting a critical vulnerability in Microsoft Entra ID, weaponizing the very security feature designed to enhance account protection: passkeys. A persistent threat group, identified as O UNC 066 (and by Palo Alto Networks Unit 42 as Pink), has been orchestrating a cunning phone-based phishing campaign since April 2026. This campaign manipulates employees into unwittingly registering a passkey controlled by the attackers on their own corporate Microsoft accounts.
Table Of Content
This sophisticated operation combines social engineering tactics with a bespoke phishing kit. Attackers directly call employees, convincing them of an urgent need to register a new passkey. This message often resonates with users due to Microsoft’s ongoing efforts to promote passwordless sign-in methods, making the fraudulent request appear legitimate. The full details of this campaign are elaborated in a comprehensive report.
The Deceptive Attack Flow
The victim is directed to a meticulously crafted fake login page that mirrors their company’s legitimate branding. Unlike fully automated phishing tools, this kit operates with a live attacker at the helm, managing an operator-controlled panel. This human interaction allows the attacker to guide the victim through each step of the process in real-time, dynamically adjusting the fake screens based on the victim’s specific multi-factor authentication (MFA) method, whether it involves SMS codes, authenticator app prompts, or push notifications.
This real-time, adaptive approach significantly enhances the attack’s effectiveness, making it challenging for automated security defenses to detect and block. Security researchers from Okta, who identified and documented this campaign, noted that the group’s primary objective seems to be data exfiltration for extortion purposes, rather than immediate financial fraud. Okta said in a report shared with Cyber Security News (CSN) that the attackers have already been linked to a public data leak site used to pressure victims.
The affected sectors are broad, encompassing critical industries such as food and beverage, technology, healthcare, automotive, construction, and aviation. The distinctive nature of this campaign lies in its ability to transform a security enhancement into a persistent weapon. Instead of merely stealing a one-time password, the attackers establish a lasting foothold within the compromised account via the illicitly registered passkey, an access mechanism that can survive even a password reset.
Hackers Abuse Microsoft Entra Passkey Enrollment
The attack sequence commences with a phone call to the target from an individual impersonating IT support, asserting the necessity of registering a new passkey. The caller then sends a link containing the word “passkey,” hosted on a domain meticulously designed to appear official. Upon accessing this link, the custom phishing kit initiates a multi-stage process that faithfully replicates Microsoft’s authentic sign-in flow. A loading screen first appears, followed by a request for the user’s username and password.
These stolen credentials are immediately transmitted to the attacker’s backend control panel, enabling the operator to gain access to the legitimate account within moments. The phishing kit then adapts its display based on the victim’s configured MFA method. Whether the account uses a one-time code prompt, an authenticator app number match, or an SMS page, the victim is presented with a corresponding fake screen. The attacker acts as a real-time intermediary, relaying the required authentication code from the legitimate system to the unwitting victim, thereby bypassing the MFA protection.
Once past the authentication phase, the phishing kit executes its final maneuver. It presents a passkey setup screen and instructs the victim to save a recovery phrase, which is deliberately designed using BIP 39-style words, a technique commonly associated with cryptocurrency wallets. This step serves no legitimate purpose for the account; its sole function is to divert the victim’s attention while the attacker covertly registers their own passkey in the background. A final confirmation screen then falsely assures the victim that their passkey has been successfully created, solidifying the deception. Compounding the issue, Microsoft typically sends a legitimate notification when a new passkey is added, which victims often disregard, believing it confirms their own action.
Infrastructure And Recommended Defenses
Researchers have noted that the phishing kit does not interact with third-party identity providers, suggesting that organizations utilizing external federation services may not be directly susceptible to this particular compromise method. However, any organization relying solely on native authentication within Microsoft Entra ID remains vulnerable. To mitigate exposure, security teams are strongly advised to enroll users in phishing-resistant authenticators and to implement robust security awareness training, emphasizing the importance of verifying the identity of anyone claiming to be from IT support before complying with instructions. Furthermore, restricting account access based on device status, geographical location, and network context can significantly reduce the risk of account takeover.
Organizations should also configure alerts for all authenticator lifecycle events. This ensures that any unexpected passkey registrations are immediately flagged for investigation. Given the highly convincing nature of this phishing kit, which expertly mimics routine security updates, fostering a strong culture of staff awareness regarding passkey-related scams is as crucial as implementing technical controls.
What You Should Do
- Implement Phishing-Resistant MFA: Prioritize the deployment of FIDO2 security keys or certificate-based authentication, which are inherently resistant to phishing.
- Enhance Employee Training: Conduct regular, targeted training sessions on vishing (voice phishing) and passkey-related scams. Educate employees on how to verify IT support requests and report suspicious communications.
- Monitor Authenticator Lifecycle Events: Configure alerts in Microsoft Entra ID for all passkey and authenticator registration events. Investigate any unexpected or unauthorized registrations immediately.
- Restrict Access with Conditional Access Policies: Implement Conditional Access policies to restrict account access based on factors like device compliance, trusted network locations, and geographical regions.
- Review and Audit Existing Passkeys: Regularly audit registered passkeys for all user accounts, especially those with elevated privileges, to identify and remove any unauthorized entries.
- Be Skeptical of Urgent Requests: Advise employees to be highly suspicious of any unsolicited calls or messages demanding immediate action regarding their account security, especially those involving new passkey registrations.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.