A new attack vector exploiting the setup process for passkey authentication has emerged, targeting the enrollment phase rather than the login itself. Security researchers at Okta have identified a campaign where attackers use voice-based social engineering to trick Microsoft 365 users into registering the attacker's own device as a legitimate passkey, creating a persistent backdoor into corporate environments.
Passkeys, built on the FIDO2 standard, are designed to be resistant to traditional phishing because they bind credentials to specific, verified services. This attack circumvents that security model by deceiving users during the initial provisioning stage. Tracked by Okta as the threat actor O-UNC-066, the campaign uses a sophisticated phishing kit to interact directly with the legitimate Microsoft Entra passkey enrollment flow.
The attack begins with a vishing call. Posing as internal IT support or a Microsoft technician, the attacker creates urgency, instructing the victim to set up a "new, more secure" passkey. The target is then guided to a malicious panel. As the victim completes the fake setup, the attacker's system silently captures the cryptographic handshake, successfully enrolling the attacker's own device as a valid authenticator for the user's account.
This method establishes a passwordless backdoor that persists independently of user passwords or session tokens. Once enrolled, the attacker maintains privileged access for data exfiltration and potential extortion, even if the victim later changes their password. The discovery highlights a critical shift in focus for threat actors, targeting the human-dependent provisioning processes that underpin passwordless security.
Okta's analysis underscores that while passkeys protect authentication, the initial enrollment remains a potent attack surface. Defending against this vector requires a dual approach. Organizations must train employees to recognize and report unsolicited requests to modify authentication methods. Technically, security teams should implement stricter out-of-band verification for such changes and monitor for anomalous passkey enrollment activity within identity management systems like Microsoft Entra ID.
安全研究人員 Okta 識別出一種新興攻擊向量,該向量利用 Passkey 認證的設置流程,針對的是註冊階段而非登入環節本身。在一個被追蹤為威脅行為者 O-UNC-066 的攻擊行動中,攻擊者使用基於語音的社交工程手段,欺騙 Microsoft 365 用戶將攻擊者自己的設備註冊為合法的 Passkey,從而為企業環境創造了一個持久性後門。
基於 FIDO2 標準構建的 Passkey,其設計初衷是抵抗傳統的網絡釣魚攻擊,因為它將憑證綁定到特定的、已驗證的服務。這種攻擊透過在初始配置階段欺騙用戶,繞過了該安全模型。Okta 使用一套複雜的網絡釣魚工具包與合法的 Microsoft Entra Passkey 註冊流程直接交互,從而實現了攻擊。
攻擊始於一個語音網絡釣魚(Vishing)電話。攻擊者偽裝成內部 IT 支援人員或微軟技術員,製造緊迫感,指示受害者設置一個「新的、更安全的」Passkey。隨後,受害者被引導至一個惡意面板。當受害者完成偽造的設置過程時,攻擊者的系統會靜默捕獲加密握手過程,成功將攻擊者自己的設備註冊為該用戶帳戶的有效認證器。
此方法建立了一個無密碼後門,其持久性獨立於用戶密碼或會話令牌。一旦註冊成功,即使受害者後來更改了密碼,攻擊者仍能保持特權訪問,用於數據竊取和潛在的勒索。這項發現凸顯了威脅行為者關注點的一個關鍵轉變,即針對支撐無密碼安全的人為依賴型配置流程。
Okta 的分析強調,儘管 Passkey 能保護認證環節,但初始註冊階段仍然是一個潛在的攻擊面。防禦此類攻擊向量需要採取雙重策略。組織必須培訓員工識別並舉報未經請求的認證方法修改請求。在技術層面,安全團隊應為此類變更實施更嚴格的帶外驗證,並在身份管理系統(如 Microsoft Entra ID)中監控異常的 Passkey 註冊活動。
