
Hackers Abuse Microsoft Entra Passkey Enrollment to Hijack Enterprise Accounts
The Deceptive Lure: How Passkey Enrollment Becomes an Enterprise Account Hijack Vector
In a concerning development, cybercriminals have found a sophisticated new method to compromise corporate Microsoft accounts, turning a robust security feature – passkeys – against the very organizations it’s designed to protect. This novel attack vector highlights the continuous cat-and-mouse game between defenders and adversaries, underscoring the need for vigilance even with advanced authentication mechanisms.
Understanding the Attack: Passkey Enrollment Exploitation
A persistent threat group, identified as O UNC 066 by Microsoft and dubbed “Pink” by Palo Alto Networks Unit 42, has been orchestrating a cunning phone-based phishing campaign since at least April 2023. This campaign meticulously targets employees, manipulating them into inadvertently registering an attacker-controlled passkey to their corporate Microsoft Entra accounts. The core of the vulnerability lies not in the passkey technology itself, but in the social engineering tactics employed during the enrollment process.
The attackers leverage sophisticated phishing techniques, often initiated via voice calls or seemingly legitimate messages, to convince targets that they are performing a necessary security update or verification. During this interaction, victims are prompted to approve a passkey registration request, unknowingly binding an attacker’s device to their corporate identity. Once registered, this illicit passkey grants the threat actor persistent access, bypassing traditional multi-factor authentication (MFA) and effectively hijacking the victim’s account.
The Threat Actor: O UNC 066 (Pink)
The group behind this innovative attack, O UNC 066 (also known as Pink), demonstrates a refined understanding of both human psychology and enterprise identity management systems. Their methodology emphasizes social engineering combined with technical exploitation. While specific details on their operational origins or broader targets are still emerging, their sustained campaign since April 2023 indicates a well-resourced and determined adversary. This type of activity underlines the growing trend of threat actors moving beyond simple credential theft to manipulating authentication flows directly.
Impact on Enterprise Security
The implications of this attack are significant for businesses relying on Microsoft Entra (formerly Azure Active Directory) for identity and access management. When an attacker successfully registers a passkey, they gain:
- Persistent Access: The attacker’s passkey provides a persistent, phishing-resistant authentication method to the compromised account.
- MFA Bypass: Passkeys are designed to be phishing-resistant and often satisfy stringent MFA requirements, meaning the attacker effectively bypasses existing MFA policies.
- Data Exfiltration and Lateral Movement: With full access to an employee’s account, attackers can potentially access sensitive data, impersonate the user, and move laterally within the corporate network.
- Reputational Damage: Account hijacks can lead to significant reputational damage, financial loss, and regulatory penalties.
While the reference link provides the primary information, it’s crucial to acknowledge that this attack vector shares characteristics with other social engineering and MFA bypass techniques documented by the security community. Specific CVEs directly linked to this particular passkey enrollment abuse are not yet assigned, as the vulnerability lies in the process exploitation rather than a software defect. Future analysis may classify variations under broader social engineering or credential theft categories.
Remediation Actions and Best Practices
Mitigating the risk of passkey enrollment hijacking requires a multi-layered approach, combining technical controls with robust user education:
- Enhanced User Education: Conduct regular, targeted training on social engineering tactics, particularly those involving phone-based phishing and unexpected authentication requests. Emphasize verification of all out-of-band requests.
- Implement Conditional Access Policies: Leverage Microsoft Entra Conditional Access to restrict passkey enrollment to trusted devices, networks, or during specific administrative processes. For instance, block passkey registration from unknown or non-compliant devices.
- Monitor Audit Logs: Regularly review Microsoft Entra sign-in and audit logs for unusual passkey registration events, especially those initiated outside of expected IT-managed processes. Look for patterns indicative of suspicious activity.
- Require Step-Up Authentication for Enrollment: Mandate an additional, strong factor of authentication (e.g., an existing FIDO2 security key or a managed device certificate) before a new passkey can be enrolled.
- Restrict User Permissions for Passkey Management: Limit who can register and manage passkeys. Consider requiring IT approval or an existing strong credential for all new passkey enrollments.
- Adopt Phishing-Resistant MFA: While passkeys are designed to be phishing-resistant, the attack targets the enrollment process. Ensure overall MFA strategies rely on FIDO2 security keys or certificate-based authentication where feasible, as these are inherently more resistant to phishing.
- Incident Response Plan Review: Ensure your incident response plan includes procedures for compromised accounts via novel authentication mechanisms and how to revoke illegitimate passkeys swiftly.
Tools for Detection and Mitigation
Effective defense against such sophisticated attacks often relies on a combination of platform-native capabilities and third-party security tools.
| Tool Name | Purpose | Link |
|---|---|---|
| Microsoft Entra ID Protection | Detects identity-based risks, including unusual sign-in activities and compromised credentials. | https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection |
| Microsoft Defender for Cloud Apps (MDCA) | Provides cloud access security broker (CASB) capabilities for monitoring and controlling access to cloud apps. | https://learn.microsoft.com/en-us/defender-cloud-apps/what-is-defender-for-cloud-apps |
| Security Information and Event Management (SIEM) Solutions | Aggregates and analyzes security logs from various sources, including Microsoft Entra, for threat detection. | (E.g.) https://www.splunk.com or https://www.microsoft.com/en-us/security/business/siem-and-xdr/microsoft-sentinel |
| Endpoint Detection and Response (EDR) Solutions | Monitors endpoint activity to detect and respond to suspicious actions that may follow an account compromise. | (E.g.) https://www.crowdstrike.com or https://www.paloaltonetworks.com/cortex/cortex-xdr |
Staying Ahead of Advanced Threats
The abuse of passkey enrollment by groups like O UNC 066 serves as a stark reminder that even the most robust security features can be circumvented through clever social engineering and exploitation of process weaknesses. Organizations must maintain a proactive security posture, continually educating users, implementing stringent access controls, and leveraging advanced monitoring capabilities to protect their critical assets. The future of enterprise security relies on adapting defenses as rapidly as adversaries evolve their tactics.


