Intune/azure Passkeys now compromised in addition to MFA?
We previously used MFA through Intune but experienced several compromises involving session token theft from people using EvilGinx. As a result, we transitioned from MFA to passkeys (aka phishing-resistant MFA) as we thought that would stop TokenTheft. However, we have recently experienced a compromise even after making this change.
Are there any known or emerging attack vectors targeting passkeys that we should be aware of, are they not bullet proof? We have confirmed an account has a CA policy that requires passkey for auth and still an attacker was able to get in. The azure logs look like the old session token theft where the auth was interrupted and then followed by a succusses from the attacker.
Additionally, the suspicious sign-ins originated from different geographic locations in quick time, which should have triggered our risky user Conditional Access policy as well, but it did not. We are trying to understand why that control may have failed.
Additionally, are there any potential gaps related to passkeys and mobile device usage. Specifically, we believe an attacker may have been able to add one of our Exchange accounts to their iPhone or use outlook.com from a mobile device, despite having a Conditional Access policy in place that requires passkeys for any new authentications.
Thank you