By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
Cybersecurity Beat
Search
  • Home
  • News & Alerts
  • Articles
  • Features
  • Spotlight
  • About
    • Mission
    • Services
    • Contact
Reading: Phone Phishers Use Passkey Enrollment to Seize Microsoft Accounts
  • AI
  • Android
  • Authentication
  • Breaches
  • CASB
  • Compliance
  • Cryptography
  • Cyberinsurance
  • EDR
  • IAM
  • Malware
  • Phishing
  • Quantum
  • Ransomware
  • SecOps
  • SIEM
  • SOC
  • Threat Intelligence
  • Vulnerabilities
  • Zero Trust
Cybersecurity BeatCybersecurity Beat
Font ResizerAa
Search
  • News & Alerts
  • Articles
  • Spotlight
  • Features
  • Resources
Follow US
  • About CSB
  • Services
  • Contact
  • Privacy
  • Legal
©2026 CybersecurityBeat. All Rights Reserved.
News & Alerts

Phone Phishers Use Passkey Enrollment to Seize Microsoft Accounts

A live operator phone phishing campaign exploits Microsoft Entra passkey enrollment to plant persistent account access, bypassing MFA with real time victim interaction.

CSBadmin
Last updated: July 10, 2026 11:05 pm
CSBadmin
2 Min Read
Share
SHARE

The Attack Mechanism

Since April 2026, a threat group tracked as UNC 066 has been running a phone based phishing campaign that exploits Microsoft Entra passkey enrollment to hijack corporate accounts. Attackers call employees directly, posing as IT support, and claim their account needs a new passkey. They send a link to a fake login page that mirrors the company’s branding. Unlike fully automated phishing kits, this attack uses a live operator behind the scenes who walks each victim through the process step by step, adapting fake screens based on whether the account uses SMS codes, authenticator prompts, or push notifications.

Contents
The Attack MechanismThe Payload and PersistenceImpact and Defenses

The Payload and Persistence

The fake enrollment process serves as a way to plant a persistent foothold inside the account. After capturing credentials and bypassing multi factor authentication in real time, the attacker registers their own passkey while the victim is distracted by a fake recovery phrase screen. Microsoft sends a legitimate notification when a new passkey is added, but victims often dismiss it because they believe they completed the process themselves. Security researchers from Okta identified the campaign and linked the group to a public data leak site used to pressure victims for extortion, rather than immediate financial fraud.

Impact and Defenses

Affected industries span food and beverage, technology, healthcare, automotive, construction, and aviation. The phishing kit does not interact with third party identity providers, so organizations using external federation appear safe, while those relying on native authentication remain at risk. Security teams should enroll users in phishing resistant authenticators, train staff to verify IT support identity, restrict account access by device and geography, and configure alerts for every authenticator lifecycle event to flag unexpected passkey registrations.

Source: Cyber Security News

CSBadmin

The latest in cybersecurity news and updates.

TAGGED:Account TakeoverPasskey
Share This Article
Facebook Print
ByCSBadmin
Follow:
The latest in cybersecurity news and updates.
Previous Article Serious Flaws in GNU Guix Could Let Attackers Escalate Privileges Remotely
Next Article Session Hijack Exploit in Citrix NetScaler Opens Door to Rapid Ransomware Deployment

Trending

Remote Crash Vulnerability Discovered in Alibaba’s XQUIC Library for HTTP/3
July 10, 2026
Rust Based MODBEACON Trojan Relies on gRPC Streaming for Stealthy C2
July 10, 2026
Page Cache Overflow in Linux FUSE Grants Local Root Access
July 10, 2026
One Click Android 17 Exploit Delivers Full Device Takeover via Browser and Kernel Zero Days
July 10, 2026
Progress Software Warns of Active Threat Against ShareFile Storage Zone Controllers
July 10, 2026

Related Stories

CSBadmin

State Surveillance Expands Through AI and Biometric Tracking Across 31 High Risk Nations

CSBadmin

DuckDuckGo Browser Builds Native YouTube Ad Blocker Using Open Source Filter Lists

CSBadmin

Critical GitHub.com and Enterprise Server RCE Vulnerability Enables Full Server Compromise

CSBadmin

Phishing Attack Weaponizes AnyDesk to Establish Persistent Remote Access

csb-sized
  • About CSB
  • Services
  • Contact
  • Privacy
  • Legal

© 2026 Cybersecurity Beat. All rights reserved.

Welcome Back!

Sign in to your account

Username or Email Address
Password

Lost your password?