Close Menu

    Subscribe to Updates

    Get the latest Tech news from SynapseFlow

    What's Hot

    Austrian Audio The Arranger review: wired open-backed headphones that can turn their hand to almost anything

    July 11, 2026

    Firefox’s privacy defaults are too soft — and that’s exactly why I switched to this privacy-focused browser

    July 11, 2026

    3 offline iPad apps I keep downloaded at all times

    July 11, 2026
    Facebook X (Twitter) Instagram
    • Homepage
    • About Us
    • Contact Us
    • Privacy Policy
    Facebook X (Twitter) Instagram YouTube
    synapseflow.co.uksynapseflow.co.uk
    • AI News & Updates
    • Cybersecurity
    • Future Tech
    • Reviews
    • Software & Apps
    • Tech Gadgets
    synapseflow.co.uksynapseflow.co.uk
    Home»Cybersecurity»Okta Warns of Vishing Attacks Targeting Microsoft 365 Customers
    Okta Warns of Vishing Attacks Targeting Microsoft 365 Customers
    Cybersecurity

    Okta Warns of Vishing Attacks Targeting Microsoft 365 Customers

    The Tech GuyBy The Tech GuyJuly 11, 2026No Comments3 Mins Read0 Views
    Share
    Facebook Twitter LinkedIn Pinterest Email
    Advertisement


    Organizations across multiple sectors have been targeted in a vishing campaign aimed at harvesting Microsoft 365 credentials, Okta warns.

    Advertisement

    The campaign started in April and has involved voice calls directing the victims to fake Microsoft Entra ID login pages under the pretense that they need to register a new passkey.

    Tracked as O-UNC-066 and also known as CL-CRI-1147 and Pink, the hacking group has been targeting automotive, aviation, construction, food and beverage, healthcare, and technology organizations, mainly for data extortion.

    As part of the observed attacks, the threat actor has been registering domains incorporating the word ‘passkey’, and has been directing victims to pages that closely mirror the Microsoft passkey enrollment process.

    “It appears engineered to convince a targeted user they are in the process of enrolling a passkey with Microsoft, while the threat actor simultaneously registers their own passkey in the targeted user’s Microsoft account,” Okta says.

    The fake Microsoft Entra ID login pages are customized for each victim from the backend of the phishing kit, using legitimate branding and loading content from Microsoft’s content delivery network.

    Advertisement. Scroll to continue reading.

    Unlike other phishing kits, this is an operator-controlled PHP panel that does not automatically collect credentials, multi-factor authentication (MFA) tokens, and session tokens.

    Instead, the threat actor directs the victim through multiple authentication stages in near-real time, adapting the page’s content and notifications during the session to accommodate various MFA requirements.

    “It is likely that the threat actor uses the kit to take over the user account and trick the user into approving an attacker-initiated registration of a passkey,” Okta notes.

    Throughout the various stages of the attack, the phishing pages perform anti-analysis checks, request a username without redirecting to a federated identity provider, and request a password that the operator likely uses in real-time to access the victim’s account.

    Next, the victim is shown a processing page while the operator likely authenticates to the account to observe the type of MFA that has been enabled and selects what to display to the victim: SMS OTP, TOTP, or push MFA.

    In line with the campaign’s lure, the attacker can then redirect the user to a passkey registration page, where they are asked to save a recovery key from a list of BIP-39 phrases the threat actor controls. Next, the victim is asked to verify the final word used in the seed phrase.

    “The phishing kit appears to prey on the lack of user familiarity with passkey authentication. In a real passkey registration ceremony, the user might expect a system dialog to register a passkey on their device. The passkey pages in this phishing kit appear to mimic this process without registering a passkey,” Okta notes.

    According to the company, BIP-39 seed phrases do not appear to have a direct applicability in Microsoft Entra, and the hacking group may be using this step as a distraction. At the same time, attacker-controlled passkeys are enrolled in the victim’s account.

    “Any time a user enrolls a passkey with Microsoft, the owner of the compromised account receives a legitimate Microsoft email to notify them that a new passkey has been registered in their account. During an attack, the passkey was actually enrolled by the threat actor directly with Microsoft, and the threat actor is in a position to name the passkey with something the targeted user would view as benign,” Okta explains.

    Related: Massive Password Spray Campaign Targeting Azure CLI

    Related: FBI, Google Dismantle ‘Outsider Enterprise’ Phishing Service

    Related: Google, FBI Disrupt NetNut Residential Proxy Network Powered by Millions of Devices

    Related: Over 500 Organizations Hit in Years-Long Phishing Campaign

    Advertisement
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    The Tech Guy
    • Website

    Related Posts

    GigaWiper Combines Multiple Malware for System-Level Sabotage

    July 11, 2026

    China, India-Linked Hackers Both Targeted Same Pakistani Police Force

    July 11, 2026

    In Other News: DHS Database Hacked, Adobe Boosts Patch Cadence, Canada Disrupts Ransomware Ops

    July 10, 2026

    Third US Security Expert Sentenced to Prison for Helping Ransomware Gang

    July 10, 2026

    Palo Alto Networks Patches 13 Vulnerabilities

    July 10, 2026

    UK Government Rolls Out Agentic AI Defense Plan Alongside Industry Pledge

    July 10, 2026
    Leave A Reply Cancel Reply

    Advertisement
    Top Posts

    You don’t need a NAS to self-host — I proved it with hardware from my closet

    June 7, 2026253 Views

    Spotify is giving one of its best playlists a big visual upgrade to give subscribers ‘a closer connection’ to its New Music Friday curators — and I think it could be the update it’s always needed

    June 12, 2026157 Views

    The iPad Air brand makes no sense – it needs a rethink

    October 12, 202516 Views
    Stay In Touch
    • Facebook
    • YouTube
    • TikTok
    • WhatsApp
    • Twitter
    • Instagram
    Advertisement
    About Us
    About Us

    SynapseFlow brings you the latest updates in Technology, AI, and Gadgets from innovations and reviews to future trends. Stay smart, stay updated with the tech world every day!

    Our Picks

    Austrian Audio The Arranger review: wired open-backed headphones that can turn their hand to almost anything

    July 11, 2026

    Firefox’s privacy defaults are too soft — and that’s exactly why I switched to this privacy-focused browser

    July 11, 2026

    3 offline iPad apps I keep downloaded at all times

    July 11, 2026
    categories
    • AI News & Updates
    • Cybersecurity
    • Future Tech
    • Reviews
    • Software & Apps
    • Tech Gadgets
    Facebook X (Twitter) Instagram Pinterest YouTube Dribbble
    • Homepage
    • About Us
    • Contact Us
    • Privacy Policy
    © 2026 SynapseFlow All Rights Reserved.

    Type above and press Enter to search. Press Esc to cancel.

    Ad Blocker Enabled!
    Ad Blocker Enabled!
    Our website is made possible by displaying online advertisements to our visitors. Please support us by disabling your Ad Blocker.