A sophisticated threat actor tracked as Muddled Libra is targeting organizations across multiple sectors with voice-based phishing attacks that trick Microsoft 365 users into enrolling fraudulent passkeys, according to research published by Okta.
The campaign uses a panel-controlled phishing kit specifically designed to compromise the Microsoft Entra passkey enrollment process. Victims are directed to lookalike domains that incorporate the word “passkey” and then receive phone calls instructing them to register a new passkey for their Microsoft account.
A phone call, a passkey, and a stolen session
When victims visit the phishing page, they are presented with an interface that is visually identical to Microsoft’s legitimate passkey enrollment portal. Instead of registering the victim’s own passkey, however, the kit enrolls the attacker’s passkey against the victim’s Microsoft account, granting the threat actor persistent, passwordless access to Microsoft 365 resources.
The timing of this campaign coincides with Microsoft’s rollout of administrator-configurable registration campaigns designed to nudge users toward passkey adoption at scale. Threat actors are exploiting the unfamiliarity surrounding passkey enrollment processes, weaponizing a security enhancement as a lure.
Who the attackers are targeting and why
Okta researchers report that the campaign has targeted organizations in the food and beverage, technology, healthcare, automotive, construction, and aviation industries. The threat actor registers domains designed to impersonate Microsoft’s passkey enrollment workflow and deploys PHP-based phishing panels that are fully operator-controlled.
Unlike adversary-in-the-middle phishing kits that steal credentials and session tokens during authentication, this approach compromises the victim’s account at a deeper level by enrolling a persistent authentication factor that the attacker fully controls.
How to keep passkey enrollment out of enemy hands
Organizations should educate employees that legitimate passkey enrollment requests will never come from unsolicited phone calls. Security teams should monitor for registration of new passkeys on privileged accounts and consider implementing conditional access policies that flag passkey enrollment events originating from unusual IP ranges or geographies.
Microsoft’s Entra ID allows administrators to review authentication method registration activity, which can help detect unauthorized passkey bindings before they are exploited for data theft or extortion.
