A voice-based phishing attack is targeting Microsoft 365 users with fake Entra passkey enrollment requests. Threat actor O-UNC-066 uses a panel-controlled kit to bypass security and extort data. Learn how to protect yourself.
A new wave of voice-based phishing attacks is making the rounds, and it's targeting Microsoft 365 users in a way that feels disturbingly real. The threat actor, tracked by Okta as O-UNC-066, is using fake security requests to trick people into enrolling a fraudulent Entra passkey. Once that passkey is set up, the attacker can access your account and start extorting data.
This isn't just another spam email campaign. It's a sophisticated, panel-controlled phishing kit designed to bypass the usual security checks. The attack starts with a phone call that sounds legit—someone claiming to be from IT or Microsoft support, urging you to enroll a new passkey for security reasons. And if you fall for it, you're handing over the keys to your entire Microsoft 365 environment.
### How the Attack Works
The process is deceptively simple. Here's how it typically unfolds:
- **Voice Call Initiation:** The attacker calls the target, posing as a trusted support agent. They use social engineering to create urgency, often claiming there's a security breach or an upcoming compliance deadline.
- **Passkey Enrollment Prompt:** The victim is directed to a phishing page that mimics the Microsoft Entra login portal. The page asks them to enroll a new passkey, which is actually controlled by the attacker.
- **Access Granted:** Once the passkey is enrolled, the attacker can authenticate as the user, gaining full access to Microsoft 365 services like email, files, and Teams.
- **Data Extortion:** The attacker then exfiltrates sensitive data and threatens to leak it unless a ransom is paid.
This approach is particularly dangerous because it targets the authentication process itself, not just passwords. Passkeys are meant to be more secure than traditional passwords, but if the enrollment process is compromised, the security advantage evaporates.
### Why This Matters for You
If you're a professional relying on Microsoft 365 for your daily work—and let's be honest, most of us are—this attack should be on your radar. The voice-based element makes it harder to spot because it bypasses the usual email filters. And since the phishing kit is panel-controlled, it can be updated and customized on the fly, making it even more evasive.
I've seen a lot of phishing campaigns over the years, but this one stands out because it exploits trust. The attacker isn't just asking for a password; they're asking you to perform an action that feels legitimate. That's why education and awareness are your best defenses.
### How to Protect Yourself
So, what can you do to stay safe? Here are a few practical steps:
- **Verify the Caller:** If someone calls claiming to be from IT or Microsoft support, hang up and call back using a known number. Never trust the caller ID.
- **Don't Enroll Passkeys Over the Phone:** Legitimate organizations will never ask you to enroll a passkey during a phone call. If they do, it's a red flag.
- **Use Multi-Factor Authentication (MFA):** Even if a passkey is compromised, MFA adds another layer of protection. Make sure you're using an authenticator app or hardware token.
- **Train Your Team:** Conduct regular phishing simulations and educate employees about social engineering tactics. Awareness is the first line of defense.
- **Monitor for Anomalies:** Keep an eye on your Microsoft 365 sign-in logs for unusual activity, like new passkey enrollments from unknown locations.
### The Bigger Picture
This attack is a reminder that security isn't just about technology—it's about people. The most advanced security tools can't protect you if someone willingly hands over access. That's why we need to think like attackers and prepare for the unexpected.
For now, the best advice is simple: stay skeptical. If something feels off, it probably is. And if you're ever unsure, reach out to your IT team directly. A little caution can save you a lot of trouble down the road.