Skip to main content
Emerging ThreatsMalware & Ransomware

Hackers Exploit Microsoft Entra Passkey Enrollment in Voice Phishing Attacks

Person sitting at desk, speaking on phone with concerned expression, blurred computer screen in background.

"The threat actor registers domains that incorporate the word passkey as part of a voice-enabled phishing ('vishing') scheme," Okta researcher Houssem Eddine Bordjiba said.

Who is being targeted and how they are contacted

Okta reports a threat actor it tracks as O-UNC-066 is using voice-based social engineering across multiple sectors to prompt Microsoft 365 users to enroll a new Entra passkey. The activity has singled out organizations in food and beverage, technology, healthcare, automotive, construction, and aviation. Callers persuade targeted users over the phone that they need to register a new passkey, then direct them to a phishing site that mimics the Microsoft passkey enrollment process.

The phishing kit and the operator-controlled panel

The attack centers on a phishing kit controlled via a PHP operator panel rather than a passive credential-harvesting landing page. Okta describes the kit as panel-controlled and capable of adapting the user experience in near real time: the operator can change the pages and notifications a victim sees and tailor them to observed multi-factor authentication (MFA) flows, including TOTP, push with number matching, and SMS OTP. Okta notes the kit appears to be an operator-driven tool in which the caller and the panel operator may be separate actors.

Step-by-step of the attack chain as observed

  • Victim receives a phone call and is directed to a phishing site whose domain includes the word "passkey."
  • The kit's first page (/gate) performs anti-analysis checks while displaying a loading icon.
  • The /identify page asks for the username, and /password then requests the password; harvested credentials are posted to the operator panel at /backend.php.
  • The operator (likely distinct from the caller) uses the stolen credentials on the genuine Microsoft sign-in page for the targeted tenant.
  • The victim sees a /processing page while the operator observes what MFA challenge is presented and instructs the kit to show the relevant challenge page—/submit-otp for SMS, /submit-authenticator for TOTP, or /approve-authenticator for push.
  • Captured OTPs are posted back to /backend.php, enabling the attacker to complete sign-in and gain access.
  • Once access is obtained, the victim is redirected to /passkey/register and guided through pages labeled /passkey, /passkey/check, and /done that mimic Microsoft-branded passkey registration and prompt the user to save a 12-word recovery key.

How the passkey pretext is abused

Okta assesses the recovery-key step—a 12-word series resembling a mnemonic phrase common to cryptocurrency wallets—is a distraction meant to occupy the user while the attacker registers a passkey in the victim's Microsoft account. The phishing kit's passkey screens "appear to mimic" a real registration ceremony without actually triggering an on-device system dialog to create a legitimate passkey, and Okta suspects the flow is used to trick victims into approving an attacker-initiated passkey registration that grants the adversary persistent access.

Okta also flagged that this development coincides with Microsoft allowing administrators to configure registration campaigns that nudge users to register passkeys during sign-in—a legitimate administrative capability the threat actor is exploiting as a social-engineering lure.

Criminal infrastructure and affiliations

Okta links the activity to O-UNC-066 and notes the same actor has operated a data leak site since April 2026 under the name Pink. Palo Alto Networks Unit 42 is tracking the cluster as CL-CRI-1147 and describes it as affiliated with a decentralized cybercrime collective known as The Com, of which Scattered Spider, ShinyHunters, and LAPSUS$ are part. Okta adds there is no indication the kit redirects users to third-party identity providers like Okta itself.

What this means for technologists, affected enterprises, and end users

  • Technologists and security teams: watch for panel-controlled PHP kits and domains that incorporate "passkey" as an active vishing vector; note the kit's ability to adapt to differing MFA challenges in real time and the use of a 12-word recovery-key distraction.
  • Affected enterprises and procurement leaders: be aware that administrative passkey registration campaigns can be used as a social-engineering pretext; consider communications and user education tied to any nudges that prompt users to register passkeys during sign-in.
  • End users and the general public: calls requesting immediate passkey enrollment and directions to save a 12-word recovery phrase should be treated with suspicion—Okta observed these specific elements used to persuade users and to occupy them while attackers complete registration on the backend.

The facts are stark: a phishing-resistant upgrade process—passkey enrollment—has been turned into the lure itself, and the attack uses a controlled, adaptive kit to convert real-time MFA interactions into account takeover. Okta's linkage of the activity to O-UNC-066 and the existence of a Pink data leak site since April 2026 underline that the technique is operational and tied to known criminal infrastructure. Whether increased passkey adoption can be carried out at scale without opening new avenues for social-engineered enrollment remains the immediate operational question raised by these documented attacks.

Original reporting