Hackers Exploit Fake Microsoft Entra Passkey Enrollment to Compromise Microsoft 365 Accounts
Leave a Comment / Cybersecurity, Data Protection, Enterprise Technology, Industry News / By cxojunction
Passwordless authentication is becoming a cornerstone of enterprise identity security, but cybercriminals are already adapting their tactics to exploit the growing trust in these technologies. A newly uncovered phishing operation has been found abusing Microsoft Entra passkey enrollment to infiltrate Microsoft 365 accounts, creating fresh opportunities for unauthorized access and data extortion.

Rather than relying on conventional phishing pages, the attackers combine voice phishing with a fake Microsoft Entra passkey enrollment process to gain access to Microsoft 365 accounts. Tracked by Okta as O-UNC-066, the operation targets organizations across the food and beverage, technology, healthcare, automotive, construction, and aviation sectors. Victims are persuaded to register a new passkey through fraudulent websites that closely mimic Microsoft’s legitimate enrollment process, allowing attackers to secretly register their own passkey on the victim’s account.
The technique has emerged as they continue promoting passwordless sign-ins through registration prompts during login, making the deception appear legitimate. Rather than using conventional phishing methods that simply capture usernames, passwords, or MFA tokens, the threat actors employ an operator-controlled toolkit that responds to each victim’s security verification process in real time. This allows the fraudulent workflow to closely mirror the genuine Microsoft sign-in experience.
After credentials are collected, they are immediately used in a legitimate Microsoft login session controlled by the operators. Victims are then prompted to complete whichever verification method appears, including SMS one-time passwords, authenticator app codes, or push notifications. As the interaction progresses, the phishing pages change dynamically based on the user’s responses, increasing the likelihood that access will be successfully obtained.
Once inside the account, users are taken through a fake Microsoft – branded enrollment sequence featuring recovery key storage and seed phrase confirmation screens. These additional steps are designed to distract victims while the unauthorized security key is registered in the background. Okta said the phishing kit takes advantage of limited user familiarity with passwordless enrollment procedures. The company also linked O-UNC-066 to the “Pink” data leak site, while Palo Alto Networks Unit 42 associates the activity with CL-CRI-1147 and the cybercrime collective known as The Com.
The incident demonstrates that even advanced identity protections can be undermined when sophisticated social engineering is combined with trusted business workflows. As enterprises accelerate passwordless adoption, success will depend on pairing modern security technologies with continuous employee awareness and stronger identity monitoring. Recognizing suspicious enrollment requests, verifying unexpected security calls, and detecting unauthorized account changes will help organizations preserve the benefits of modern authentication, strengthen cyber resilience, and reduce the risk of account compromise and data extortion.
CXO Junction remains dedicated to providing you with exclusive insights into transformative leadership journeys. Stay tuned for more updates as we continue to bring industry news to you.
Source: Hackers Use Fake Microsoft Entra Passkey Enrollment to Gain Microsoft 365 Access | The Hacker News | https://thehackernews.com/2026/07/hackers-use-fake-microsoft-entra.html
