🟠 High  |  Source: The Hacker News


A threat actor tracked as O-UNC-066 is using vishing (voice phishing) calls to trick Microsoft 365 users into enrolling an attacker-controlled passkey in Microsoft Entra, effectively handing over persistent account access. Once enrolled, the attacker can authenticate as the victim without needing a password or MFA, enabling data extortion. The attack uses a panel-controlled phishing kit specifically designed to abuse the passkey registration flow.

Security Architect’s Take: Review and restrict who can register new Entra passkeys by enforcing Conditional Access policies that require a trusted, managed device and a compliant network location for any authentication method registration. Additionally, enable Microsoft Entra ID Protection alerts for suspicious registration events and train users to treat any unsolicited calls requesting security re-enrolment as a red flag.

Original advisory: Hackers Use Fake Microsoft Entra Passkey Enrollment to Gain Microsoft 365 Access