Full Report
A threat actor has been targeting organizations spanning multiple sectors with voice-based fake security requests that prompt Microsoft 365 users to enroll a new Entra passkey with an aim to carry out data extortion attacks. The threat actor, tracked by Okta under the moniker O-UNC-066, has deployed a panel-controlled phishing kit that's capable of targeting the passkey enrollment process. The
Analysis Summary
# Incident Report: O-UNC-066 Vishing and Fake Passkey Enrollment
## Executive Summary
A sophisticated threat actor tracked as O-UNC-066 is targeting Microsoft 365 users across multiple critical infrastructure sectors using voice-based phishing (vishing). The attacker tricks users into enrolling the attacker's own passkey via a custom-controlled phishing kit, effectively bypassing traditional MFA to gain persistent access for data extortion.
## Incident Details
- **Discovery Date:** July 10, 2026 (Public reporting date)
- **Incident Date:** Ongoing as of mid-2026
- **Affected Organization:** Multiple (names not disclosed)
- **Sector:** Food and Beverage, Technology, Healthcare, Automotive, Construction, and Aviation
- **Geography:** Global/Multi-regional
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing
- **Vector:** Vishing (Voice Phishing)
- **Details:** Attackers call victims, masquerading as security personnel. They inform the user they must register a new security passkey to comply with company policy or security upgrades.
### Lateral Movement
- **Details:** Once the attacker's passkey is registered to the victim's account, they gain full authorized access to the Microsoft 365 environment. This allows for movement across SharePoint, OneDrive, and Outlook to identify sensitive data.
### Data Exfiltration/Impact
- **Details:** The primary objective is documented as data extortion. Attackers access and exfiltrate sensitive corporate information to demand ransom payments.
### Detection & Response
- **Discovery:** Identified by Okta threat researchers observing a surge in "passkey" themed domain registrations and panel-controlled phishing activity.
- **Response Actions:** Threat intelligence released by Okta to help organizations identify the specific "vishing-to-passkey" workflow.
## Attack Methodology
- **Initial Access:** Vishing and social engineering.
- **Persistence:** Registration of an attacker-controlled Passkey (FIDO2/WebAuthn) to the user's account.
- **Privilege Escalation:** Exploiting the user's existing permissions within the M365 tenant.
- **Defense Evasion:** Anti-analysis checks on the `/gate` page; use of legitimate-looking branding; avoiding AitM proxies by using a man-in-the-session manual operator kit.
- **Credential Access:** Harvesting usernames and passwords via a phishing panel (`/identify`, `/password`).
- **Lateral Movement:** Native M365 application access using the enrolled passkey.
- **Exfiltration:** Data extortion via access to cloud storage and email.
- **Impact:** Unauthorized account takeover and potential mass data theft.
## Impact Assessment
- **Financial:** Risk of high extortion demands and regulatory fines for breached data.
- **Data Breach:** High risk; targeting sensitive sectors like Healthcare and Tech for extortion-worthy data.
- **Operational:** Disruption to security teams having to audit passkey enrollment logs.
- **Reputational:** High, due to the targeting of high-profile critical infrastructure sectors.
## Indicators of Compromise
- **Network Indicators:**
- URLs containing "passkey" (e.g., `passkey-enrollment[.]com`) - *Defanged*
- `/gate`
- `/identify`
- `/password`
- `/backend.php`
- `/submit-otp`
- `/passkey/register`
- **Behavioral Indicators:**
- Unexpected phone calls from "Help Desk" or "Security" regarding passkeys.
- New passkey registrations from unrecognized devices or IP addresses.
- Simultaneous successful logins from geographically distant locations.
## Response Actions
- **Containment:** Revoke unauthorized passkeys from the Entra ID / Microsoft 365 admin center.
- **Eradication:** Reset passwords for compromised accounts and sign out of all active sessions.
- **Recovery:** Monitor account logs for any secondary persistence mechanisms (e.g., new app registrations or mail forwarding rules).
## Lessons Learned
- **Passkey Misconceptions:** While passkeys are "phishing-resistant," the *enrollment process* itself remains a vulnerable social engineering vector.
- **Real-time Interaction:** Attackers are moving away from automated kits to "operator-controlled" panels that allow them to react to MFA challenges in real-time.
- **Pretexting Success:** The transition to more secure authentication (MFA/Passkeys) provides a timely and believable "security update" lure for attackers.
## Recommendations
- **User Training:** Specifically warn employees that IT will never call to "walk them through" a passkey enrollment over the phone.
- **Administrative Controls:** Restrict the ability for users to register new MFA methods (including passkeys) from untrusted networks or unmanaged devices.
- **Monitoring:** Implement alerts in Microsoft Entra ID for any new passkey or MFA device registration, particularly if preceded by a password change or vishing-style behavior.
- **Verified Identity:** Use verified communication channels for any security-related account changes.