Threat actors tracked as O-UNC-066 have launched a targeted campaign against multiple sectors using voice-based phishing to trick Microsoft 365 users into enrolling fake Entra passkeys. The attackers deploy a panel-controlled phishing kit designed to intercept the passkey enrollment workflow, granting them access to victim Microsoft 365 accounts.
The attack chain begins with voice calls impersonating Microsoft support staff. Attackers direct targets to enroll what appears to be a legitimate Entra passkey for account security. Instead, victims complete enrollment through the attacker-controlled phishing interface. This grants O-UNC-066 credential access to compromised Microsoft 365 environments.
The campaign targets organizations across multiple industry verticals. Once inside, attackers position themselves for data extortion attacks, suggesting the goal extends beyond initial access to theft of sensitive business information for ransom purposes.
Microsoft Entra (formerly Azure AD) passkeys represent a passwordless authentication method. Legitimate enrollment requires user action through official Microsoft interfaces. By mimicking this process, attackers exploit user trust in established security protocols. The voice-based social engineering component increases success rates because it creates urgency and authority.
Organizations should implement several defensive measures. Enforce multifactor authentication beyond passkeys. Educate users that Microsoft support will never request passkey enrollment via unsolicited phone calls. Disable passkey enrollment for non-administrator accounts unless specifically needed. Monitor Entra logs for unusual enrollment activity and impossible travel scenarios.
O-UNC-066 demonstrates the persistent threat posed by credential compromise at scale. Even modern passwordless authentication systems remain vulnerable to social engineering when attackers combine technical capability with human manipulation. This campaign highlights why technical controls alone prove insufficient. User awareness training and strict enrollment policies form essential layers of defense.
Organizations using Microsoft 365 should assume O-UNC-066
