A novel voice phishing (vishing) campaign is actively targeting organizations using Microsoft 365. The threat actor, codenamed O-UNC-066 by Okta, combines traditional social engineering over the phone with a sophisticated phishing kit designed to abuse modern authentication methods. Attackers impersonate IT support and guide victims to a phishing site that mirrors the Microsoft Entra ID (formerly Azure AD) login experience. The ultimate goal is to deceive the user into enrolling a new FIDO2 passkey that is controlled by the attacker. This provides the threat actor with persistent, passwordless access to the victim's account for subsequent data theft and extortion.
The campaign targets a wide range of sectors, including technology, healthcare, automotive, and aviation. The attack demonstrates a clear understanding of corporate IT procedures and modern authentication protocols.
The attack unfolds in several stages:
This attack is a sophisticated blend of social engineering and technical deception.
T1566.004 - Spearphishing Voice. The attacker uses impersonation and a pretext to manipulate the target.T1566.002 - Spearphishing Link. The specific goal is to abuse the FIDO2/WebAuthn enrollment process.T1550 - Use Alternate Authentication Material, specifically T1550.004 - Web Session Cookie, though in this case, it's a more persistent passkey.T1041 - Exfiltration Over C2 Channel by downloading data from Microsoft 365 services.This attack vector is particularly dangerous because it targets the very technology—passkeys—designed to prevent phishing. It highlights that no technology is a silver bullet and that user awareness remains a critical layer of defense, even with modern authentication.
A successful attack provides the threat actor with long-term, privileged access to a user's account and all the data within it. The impact includes the potential for major data breaches, financial loss from extortion, and reputational damage. Since the access is passwordless, traditional remediation steps like forcing a password reset are ineffective. The compromised account can also be used as a launchpad for further internal phishing attacks or business email compromise (BEC) fraud. Organizations must act quickly to identify and revoke the malicious passkey to evict the attacker.
No specific phishing domains, IP addresses, or other IOCs were provided in the source articles.
Security teams should monitor for the following suspicious activities:
Entra ID Sign-in LogsEntra ID Audit LogsAccess to new domainsMultiple MFA methodsM1017 - User Training.M1030 - Network Segmentation applied at the identity layer.Train users to verify the identity of IT staff through a separate, trusted channel before taking any action on their account.
Use Conditional Access policies to restrict sensitive actions like MFA enrollment to trusted networks, preventing enrollment from a phishing site.
Implement continuous monitoring of Microsoft Entra ID audit logs with specific alerts for authentication method changes. Create a high-priority rule that triggers whenever the 'UserRegisteredSecurityInfo' event (specifically for FIDO2 keys) is logged. The alert logic should be enriched with contextual information: Did the registration occur from an unfamiliar IP address or ASN? Was it outside of normal business hours? Did it happen shortly after a login from a new location? This provides security operations with a high-fidelity signal of a potential account takeover via MFA enrollment abuse, allowing for rapid investigation and revocation of the malicious passkey.
Harden your Microsoft Entra ID tenant configuration to prevent this attack. Use Conditional Access policies to restrict the ability to register new authentication methods to only trusted locations (e.g., corporate IP ranges) and/or compliant devices (managed by Intune). This single configuration change would block the O-UNC-066 attack vector, as the user would be unable to complete the passkey enrollment from the attacker's phishing infrastructure. For even greater security, use FIDO2 attestation to create an allowlist of approved security key models (AAGUIDs) that can be registered, preventing attackers from registering their own devices.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.