Threat Actor 'O-UNC-066' Targets Microsoft 365 Users with Vishing Campaign for Passkey Enrollment

Vishing Campaign Tricks Users into Enrolling Attacker Passkeys to Hack Microsoft 365 Accounts

HIGH
July 10, 2026
6m read
PhishingCyberattackThreat Actor

Related Entities

Threat Actors

O-UNC-066

Organizations

Okta

Products & Tech

Microsoft 365 Microsoft Entra ID

Full Report

Executive Summary

A novel voice phishing (vishing) campaign is actively targeting organizations using Microsoft 365. The threat actor, codenamed O-UNC-066 by Okta, combines traditional social engineering over the phone with a sophisticated phishing kit designed to abuse modern authentication methods. Attackers impersonate IT support and guide victims to a phishing site that mirrors the Microsoft Entra ID (formerly Azure AD) login experience. The ultimate goal is to deceive the user into enrolling a new FIDO2 passkey that is controlled by the attacker. This provides the threat actor with persistent, passwordless access to the victim's account for subsequent data theft and extortion.


Threat Overview

The campaign targets a wide range of sectors, including technology, healthcare, automotive, and aviation. The attack demonstrates a clear understanding of corporate IT procedures and modern authentication protocols.

The attack unfolds in several stages:

  1. The Vishing Call: The attacker calls an employee, posing as a member of the internal IT helpdesk. They use a plausible pretext, such as a required security update or account migration, to create a sense of urgency and legitimacy.
  2. Redirection to Phishing Site: The employee is directed to a phishing website. The domain name is often carefully chosen to look legitimate (e.g., using typosquatting). The site itself is a pixel-perfect replica of the organization's Microsoft Entra ID login portal.
  3. Fraudulent Passkey Enrollment: The core of the attack is to guide the user through the process of enrolling a new passkey (a FIDO2 hardware security key or platform authenticator). Because the process is initiated from the attacker's phishing site, the resulting passkey is linked to the attacker's device, not the user's.
  4. Persistent Access: Once the passkey is enrolled, the attacker has a durable method for accessing the victim's account. This access persists even if the user's password is changed, as passkey authentication is passwordless.
  5. Data Extortion: The attackers use this persistent access to exfiltrate sensitive data from the user's email, SharePoint, and OneDrive, which is then used in data extortion schemes.

Technical Analysis

This attack is a sophisticated blend of social engineering and technical deception.

  • Social Engineering: The initial vishing call is a classic example of T1566.004 - Spearphishing Voice. The attacker uses impersonation and a pretext to manipulate the target.
  • Phishing Infrastructure: The attacker uses a high-quality phishing site, likely powered by a phishing kit, to replicate the legitimate login portal. This falls under T1566.002 - Spearphishing Link. The specific goal is to abuse the FIDO2/WebAuthn enrollment process.
  • Steal or Forge Authentication Tokens: By tricking the user into enrolling the attacker's device, the threat actor effectively forges an authentication method. This is a novel form of T1550 - Use Alternate Authentication Material, specifically T1550.004 - Web Session Cookie, though in this case, it's a more persistent passkey.
  • Data Exfiltration: After gaining access, the attacker performs T1041 - Exfiltration Over C2 Channel by downloading data from Microsoft 365 services.

This attack vector is particularly dangerous because it targets the very technology—passkeys—designed to prevent phishing. It highlights that no technology is a silver bullet and that user awareness remains a critical layer of defense, even with modern authentication.


Impact Assessment

A successful attack provides the threat actor with long-term, privileged access to a user's account and all the data within it. The impact includes the potential for major data breaches, financial loss from extortion, and reputational damage. Since the access is passwordless, traditional remediation steps like forcing a password reset are ineffective. The compromised account can also be used as a launchpad for further internal phishing attacks or business email compromise (BEC) fraud. Organizations must act quickly to identify and revoke the malicious passkey to evict the attacker.

IOCs — Directly from Articles

No specific phishing domains, IP addresses, or other IOCs were provided in the source articles.

Cyber Observables — Hunting Hints

Security teams should monitor for the following suspicious activities:

Type
Log Source
Value
Entra ID Sign-in Logs
Description
Look for a successful user login immediately followed by the enrollment of a new authentication method (passkey), especially if the login IP is unusual.
Type
Log Source
Value
Entra ID Audit Logs
Description
Filter for the activity 'Register security key' or 'Register FIDO2 security key'. Correlate this with helpdesk tickets or user reports.
Type
Network Traffic Pattern
Value
Access to new domains
Description
Monitor for employees accessing newly registered or uncategorized domains that mimic corporate login pages.
Type
Other
Value
Multiple MFA methods
Description
A user account with multiple passkeys or an unexpected new passkey added can be a sign of compromise.

Detection & Response

  1. Audit Authentication Methods: Regularly audit the authentication methods registered for all user accounts in Microsoft Entra ID. Investigate any accounts with multiple passkeys or recently added passkeys that cannot be verified by the user. This can be achieved through D3FEND's Domain Account Monitoring (D3-DAM).
  2. Alert on New Method Enrollment: Configure SIEM alerts to trigger whenever a new authentication method is enrolled, especially if it occurs outside of a normal IT-managed process or from an anomalous location.
  3. Phishing Site Detection: Use web filtering and browser isolation technologies to block access to known and suspected phishing sites. This is a form of D3FEND's URL Analysis (D3-UA).
  4. Incident Response: If a compromise is suspected, the immediate response action is to access the user's account in Entra ID, revoke the malicious passkey from their authentication methods, and terminate all active sessions.

Mitigation

  1. User Training: This is the most critical mitigation. Train users to be suspicious of unsolicited calls from 'IT'. Establish a clear protocol for all IT-initiated actions, such as requiring the user to call the helpdesk back on a known-good number. This corresponds to M1017 - User Training.
  2. Resistant MFA: While the attack targets MFA enrollment, organizations can restrict the types of MFA allowed. Using passkeys that are tied to specific corporate devices can help.
  3. Conditional Access Policies: Implement Entra ID Conditional Access policies that restrict authentication method registration to trusted networks (e.g., corporate LAN) or compliant devices. This would prevent a user from enrolling a new key from an arbitrary phishing site. This is a form of M1030 - Network Segmentation applied at the identity layer.
  4. FIDO2 Attestation: For advanced security, organizations can configure Entra ID to only accept passkeys from specific manufacturers or models of security keys (via AAGUIDs). This would prevent an attacker from registering their own arbitrary key.

Timeline of Events

1
July 10, 2026
This article was published

MITRE ATT&CK Mitigations

Train users to verify the identity of IT staff through a separate, trusted channel before taking any action on their account.

Use Conditional Access policies to restrict sensitive actions like MFA enrollment to trusted networks, preventing enrollment from a phishing site.

Audit

M1047enterprise

Regularly audit and alert on the registration of new authentication methods within Entra ID.

D3FEND Defensive Countermeasures

Implement continuous monitoring of Microsoft Entra ID audit logs with specific alerts for authentication method changes. Create a high-priority rule that triggers whenever the 'UserRegisteredSecurityInfo' event (specifically for FIDO2 keys) is logged. The alert logic should be enriched with contextual information: Did the registration occur from an unfamiliar IP address or ASN? Was it outside of normal business hours? Did it happen shortly after a login from a new location? This provides security operations with a high-fidelity signal of a potential account takeover via MFA enrollment abuse, allowing for rapid investigation and revocation of the malicious passkey.

Harden your Microsoft Entra ID tenant configuration to prevent this attack. Use Conditional Access policies to restrict the ability to register new authentication methods to only trusted locations (e.g., corporate IP ranges) and/or compliant devices (managed by Intune). This single configuration change would block the O-UNC-066 attack vector, as the user would be unable to complete the passkey enrollment from the attacker's phishing infrastructure. For even greater security, use FIDO2 attestation to create an allowlist of approved security key models (AAGUIDs) that can be registered, preventing attackers from registering their own devices.

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)

Tags

VishingPhishingMicrosoft 365Entra IDPasskeysFIDO2Social EngineeringO-UNC-066

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.