Published on July 12, 2026
Hackers Use Fake Microsoft Entra Passkey Enrolment to Gain Microsoft 365 Access
Severity
High
Detail
Cybersecurity researchers have identified an ongoing phishing campaign in which threat actors impersonate Microsoft security personnel and use voice phishing (vishing) alongside fake Microsoft Entra passkey enrollment pages to compromise Microsoft 365 accounts.
The campaign, tracked by Okta as O-UNC-066 targets organizations across multiple industries including technology, healthcare, aviation, automotive, construction, and food & beverage. Attackers exploit users’ unfamiliarity with passkey registration by convincing them to enroll what appears to be a legitimate Microsoft Entra passkey. The attackers register their own passkey on the victim’s account, allowing persistent unauthorized access without stealing authentication tokens through traditional Adversary-in-the-Middle (AiTM) techniques.
This campaign abuses Microsoft’s legitimate passkey enrollment process to establish attacker-controlled authentication methods directly within compromised accounts. The phishing kit includes a real-time operator-controlled panel capable of adapting phishing pages based on the victim’s MFA configuration, significantly increasing the likelihood of a successful compromise.
How?
The attack begins when threat actors contact targeted employees by phone, impersonating Microsoft support or the organization’s IT helpdesk and claim that a new Microsoft Entra passkey must be registered for security purposes. Victims are then directed to a phishing website that closely mimics the legitimate Microsoft sign-in and passkey enrolment process.
After entering their Microsoft 365 username and password, the phishing kit relays the credentials to a live operator, who attempts to authenticate to the victim’s account through Microsoft’s legitimate login page. Depending on the victim’s configured Multi-Factor Authentication (MFA) method, the phishing site dynamically prompts for SMS one-time passwords (OTP), Microsoft Authenticator codes, or push notification approvals, allowing the attacker to complete the authentication process in real time.
Once authenticated, the victim is guided through a fake passkey registration process while the attacker secretly registers their own passkey on the victim’s Microsoft account. The victim is then distracted with a fake recovery phrase verification page, giving the attacker sufficient time to finalize the enrolment. The threat actor can subsequently access the victim’s Microsoft 365 account without requiring further interaction from the user.
Recommendations
Organizations are advised to implement the following security measures:
- Educate employees to verify all unsolicited phone calls requesting Microsoft 365 security changes or passkey registration.
- Configure Microsoft Entra ID to restrict passkey registration to trusted administrators or approved self-service processes.
- Monitor Microsoft Entra ID audit logs for unusual passkey registration events, authentication method changes, and suspicious sign-in activity.
- Require administrators to verify user identity through established internal procedures before requesting authentication changes.
- Review newly added authentication methods regularly and remove any unauthorized passkeys immediately.
- Conduct regular security awareness training covering voice phishing (vishing), fake passkey enrollment, and social engineering techniques.
Source
https://thehackernews.com/2026/07/hackers-use-fake-microsoft-entra.html
