Top Highlights
- Threat actors are exploiting Microsoft’s passkey enrollment process via sophisticated voice phishing (‘vishing’) campaigns to register malicious passkeys and gain unauthorized access to Microsoft 365 accounts.
- The attack involves operator-controlled phishing kits that mimic legitimate enrollment pages, deceive users into approving attacker-initiated passkey registration, and manipulate MFA challenges in real time.
- The threat group, linked to the CL-CRI-1147 cluster and operating since April 2026, leverages social engineering and real-time control to facilitate data extortion and account takeover across multiple industries.
Threat, Attack Techniques, and Targets
A threat actor, known as O-UNC-066, has been targeting organizations across multiple industries. They use voice calls to trick users into enrolling new Microsoft Entra passkeys. The attacker calls victims and persuades them they need to register a passkey. Then, they guide the user through a fake enrollment process that looks like the real Microsoft system. The attacker uses a phishing kit operated through a PHP panel. It guides the user step-by-step to enter credentials and approve passkey registration. The kit can adapt the experience based on the user’s multi-factor authentication (MFA) method, like SMS or app notifications. This attack mainly targets industries such as food and beverage, technology, healthcare, automotive, construction, and aviation. The goal is to take control of accounts and perform data extortion.
Impact, Security Implications, and Remediation Guidance
This attack can lead to serious consequences, including unauthorized access to Microsoft 365 accounts. When successful, attackers can hijack accounts and threaten data security. The security risks include data theft, fraud, and further malicious activities within targeted organizations. Because the attack exploits the passkey enrollment process, it can bypass some security measures if users are tricked. Organizations should stay alert to voice phishing attempts and educate users about fake security requests. For prevention, it is important to verify any security prompts received over the phone. If you suspect an attack like this, seek remediation guidance from Microsoft or relevant security authorities. They can provide specific steps to secure accounts and prevent further compromise.
Expand Your Tech Knowledge
Explore the future of technology with our detailed insights on Artificial Intelligence.
Stay inspired by the vast knowledge available on Wikipedia.
ThreatIntel-V1
