Microsoft Entra Passkey Exploitation: How Hackers Hijack Enterprise Accounts

Article Content
As organizations worldwide scramble to adopt passwordless security, a dangerous operational paradox has emerged: the very transition to safer standards is being actively weaponized. Cybersecurity researchers have recently exposed a highly coordinated voice-phishing (vishing) campaign, tracked as O-UNC-066 (and publicly associated with the extortion brand Pink or CL-CRI-1147), that exploits the enrollment phase of the Microsoft Entra passkey to compromise and systematically hijack enterprise accounts. While FIDO2-based authentication remains mathematically secure once fully deployed, threat actors have realized that the vulnerable moment of registration is ripe for manipulation. By intercepting users during this crucial setup phase, cybercriminals are turning a premier defense initiative into a direct gateway for persistent, silent network infiltration.
The Bootstrapping Vulnerability in Next-Gen Authentication
To understand why this campaign is so devastating, one must analyze the foundational architecture of passwordless authentication. FIDO2 and WebAuthn standards operate on asymmetric cryptography. During a legitimate registration, a private key is securely generated and bound to the local hardware (such as a TPM or a physical YubiKey), while the corresponding public key is registered with the identity provider (IdP), in this case, Microsoft Entra ID. Because the cryptographic handshake is bound to the origin domain in the browser, traditional adversary-in-the-middle (AitM) phishing proxies cannot intercept or replay subsequent logins. Once configured, it is arguably the most robust defense available against modern credential theft.
However, this security model possesses a single, critical structural vulnerability: the **bootstrapping phase**. Before a user can authenticate using a passkey, they must first register it. In a typical enterprise rollout, this setup process is authorized using weaker, legacy credentials—such as a password combined with a temporary one-time password (OTP) or an authenticator push notification. If a threat actor can intercept the user during this bootstrapping window, they can trick the IdP into registering the *attacker’s* hardware key as the authorized credential for that user’s identity. This is precisely the operational bottleneck that O-UNC-066 is exploiting with surgical precision.
Anatomy of the Exploit: Hijacking the Microsoft Entra Passkey Registration Flow
The attack chain orchestrates a highly persuasive mixture of real-time social engineering and dynamic, operator-controlled phishing infrastructure. Rather than relying on massive, automated spam blasts, O-UNC-066 operates a highly targeted vishing model that targets specific, high-value corporate personnel across healthcare, aviation, technology, and manufacturing sectors.
Step 1: The Social Engineering Pretext
The attack begins with a phone call from a confident threat actor pretending to be an internal IT helpdesk engineer. Crucially, the attackers leverage a real-world catalyst: Microsoft’s rollout of “nudge” features that allow enterprise administrators to prompt or mandate users to register passkeys during their standard sign-in workflows. The caller informs the victim that corporate security policy now mandates the immediate setup of their new Microsoft Entra passkey and offers to “walk them through” the process. This alignment with real internal IT initiatives lowers the victim’s psychological guard.
Step 2: Redirection to Targeted Phishing Infrastructure
Once the victim is hooked on the call, the attacker instructs them to navigate to a specific URL. Rather than using obvious, generic phishing domains, O-UNC-066 registers blunt, authoritative domains specifically designed to look like official administrative portals. Highly active domains observed in this campaign include:
assignpasskey.comdeploypasskey.compasskeydeploy.compasskeyadd.comsetpasskey.com
To maximize credibility, the threat actors pre-stage these domains with target-specific subdomains containing the victim organization’s actual name (e.g., [companyname].deploypasskey.com). These landing pages are meticulously designed to pull authentic corporate branding, logos, and custom background images directly, making the fake portal visually indistinguishable from the organization’s genuine Microsoft 365 sign-in interface.
Behind the Curtain: The PHP Live-Panel and Heartbeat Mechanism
What sets O-UNC-066 apart from run-of-the-mill AitM phishing campaigns is the use of a custom, human-in-the-loop management panel. Traditional automated phishing frameworks like Evilginx act as automated reverse proxies, relaying static traffic back and forth. However, automated tools can easily break when faced with complex conditional access policies, geo-blocking, or unexpected multi-factor authentication (MFA) challenges.
O-UNC-066 bypasses this technical hurdle by utilizing an operator-driven PHP panel that establishes a continuous websocket or rapid polling heartbeat (approximately once per second) with the victim’s browser session. When the victim types their username and password into the fake portal, the credentials immediately populate the attacker’s backend panel. The human attacker—simultaneously conversing with the victim over the phone—manually copies these credentials and enters them into the legitimate Microsoft 365 login portal.
When Microsoft’s server serves an MFA challenge, the attacker observes the type of challenge required. Whether the system demands a standard SMS OTP, an authenticator app push, or a two-digit number matching prompt, the attacker uses their PHP panel to instantly push the corresponding fake UI element to the victim’s screen. The attacker then verbally coaches the victim into completing the challenge (e.g., “Please tap 42 on your authenticator app to authorize your passkey enrollment”). By coordinating the browser’s visual state with the live voice call, the threat actor achieves an incredibly high authentication success rate.
Cryptographic Sleight of Hand: The BIP-39 Distraction
Once the victim authorizes the login session, the attacker gains full control of the authenticated session inside the real Microsoft Entra environment. The attacker immediately navigates to the user’s security settings page to register a FIDO2 hardware-backed key under the attacker’s physical possession.
To prevent the victim from realizing that an external device is being registered, the phishing kit pivots the victim’s browser to a highly convincing “Passkey Backup Recovery” page. This page displays a fake recovery key consisting of a 12-to-24-word BIP-39 mnemonic seed phrase sequence, commonly associated with cryptocurrency wallets. The victim is instructed to copy, write down, and verify these words to “finalize” their security setup.
This is a brilliant psychological distraction designed for two purposes:
- Time Accumulation: Manually typing, confirming, and verifying a sequence of 12 or 24 random mnemonic words is a tedious process that typically takes the user several minutes. This buying of time gives the attacker the uninterrupted window they need to complete the actual FIDO2 passkey registration in the background.
- Notification Cloaking: When a new passkey is successfully registered to a Microsoft Entra account, Microsoft automatically sends an transactional security email to the user (e.g., “A security key was added to your account”). Because the victim has just spent several minutes completing what they believed was a “secure enrollment” process, they dismiss this real notification as a routine confirmation of their own actions, rather than recognizing it as an alert of an active hijack.
The Com, Pink, and the Mechanics of Cloud Extortion
According to threat intelligence reports from Palo Alto Networks Unit 42, the Pink extortion group (tracked as CL-CRI-1147) is heavily linked to a decentralized cybercrime network known as “The Com”. Historically known for SIM-swapping, physical threats, and extreme social engineering, groups within this umbrella have increasingly pivoted to targeted cloud-identity compromise for high-yield data extortion.
Once a persistent Microsoft Entra passkey is registered by the attacker, the compromise is incredibly difficult to remediate. The registered passkey survives standard password resets and session revocations, allowing the threat actor a permanent, phishing-resistant backdoor into the enterprise. Pink uses this access to systematically sweep cloud storage systems, exfiltrating vast quantities of sensitive corporate data from OneDrive, SharePoint, and corporate email accounts.
Within hours of exfiltrating the data, the extortion phase begins. Unlike traditional ransomware actors who drop encryptors on local servers, Pink operates purely via cloud-based exfiltration. They use the compromised corporate accounts themselves to send internal emails to executives and draft Microsoft Teams messages directly to employees, demanding steep financial ransoms under tight 72-hour deadlines to prevent the public leaking of sensitive IP, customer records, and financial documents.
Actionable Defenses: Fortifying Passkey Lifecycle Management
The emergence of the O-UNC-066 campaign highlights a fundamental truth: securing the authentication process is meaningless if the enrollment process is left unmonitored. Organizations must shift from treating passkey deployment as a passive IT update to managing it as a high-stakes, highly restricted administrative event. Security teams should immediately implement the following technical and operational defenses:
| Defense Category | Recommended Security Control | Technical Implementation Details |
|---|---|---|
| Identity Bootstrapping | Enforce Temporary Access Passes (TAP) | Prohibit users from registering new passkeys using legacy MFA (SMS, push). Require a high-entropy, short-lived Temporary Access Pass issued only after strict, out-of-band identity verification. |
| Conditional Access | Restrict Registration Context | Configure Entra ID Conditional Access policies to restrict FIDO2 passkey registration solely to known, compliant corporate devices or trusted corporate network ranges (Trusted IPs). |
| Lifecycle Alerting | Real-Time Security Info Alerts | Establish immediate, high-priority automated alerts (via SIEM or Sentinel) for any AuditLogs containing the activity "User registered security info" or modifications to authentication methods. |
| Infrastructure Blocking | Proactive Domain Monitoring | Block and monitor outbound traffic to known vishing indicators, specifically targeting base domains containing variations of “passkey” (e.g., *passkey*.com) combined with dynamic DNS or protective hosting providers like DDoS-Guard. |
| Operational Policy | Helpdesk Verification Protocols | Mandate a strict, bi-directional verification protocol for helpdesk staff. Employees must never initiate authenticator enrollment based on an unsolicited incoming call without verifying the caller’s identity through an established internal directory lookup or video verification. |
Ultimately, the threat posed by O-UNC-066 does not expose a flaw in the cryptographic design of the Microsoft Entra passkey itself. Instead, it exposes the operational friction of the transition period. As organizations retire legacy MFA in favor of modern, phishing-resistant environments, security administrators must recognize that the journey to a passwordless state is just as critical to defend as the final destination.
Written by
TempMail Ninja
Digital privacy and online security expert. Passionate about creating tools that protect users' identity on the internet.


