Okta Tracks Vishing Kit O-UNC-066 Registering Attacker Passkeys in Microsoft Entra ID Since April
A live-operator vishing campaign has compromised Microsoft 365 accounts by registering attacker passkeys under the guise of legitimate enrollment. The kit adapts to multiple MFA types in real time and targets six verticals for data extortion. Patterns suggest wider exploitation of passkey unfamiliarity as adoption grows.
The campaign uses domains containing 'passkey' and customized Entra ID login pages that pull legitimate Microsoft CDN assets. Victims are walked through username, password, then MFA prompts in real time while the operator authenticates directly, observes enabled factors, and registers their own passkey. Okta observed the kit requesting BIP-39 recovery phrases as a distraction before the attacker-controlled passkey is added and named benignly. Microsoft notification emails are sent to victims after enrollment, creating a narrow detection window.
Evidence from Okta's O-UNC-066 tracking shows the kit performs anti-analysis checks and avoids federated redirects to capture credentials before any IdP handoff. Unlike automated kits, this operator-in-the-loop approach adapts to SMS, TOTP or push MFA on the fly. Similar real-time vishing patterns appeared in earlier CL-CRI-1147 operations and align with documented tactics in the 2023 FBI-Google Outsider Enterprise disruption.
The attacks exploit low user familiarity with passkey ceremonies and the absence of device-bound system dialogs in the phishing flow. Procurement records and Microsoft tenant telemetry indicate passkey adoption is accelerating in large enterprises without corresponding logging of enrollment source IPs or device attestation. This creates persistent access vectors once the attacker passkey is active.
Next steps include mandatory passkey enrollment alerts routed to security teams rather than end users and contract requirements for phishing-resistant MFA telemetry in new Microsoft 365 licenses. Organizations should audit recent passkey registrations against known-good device fingerprints within the next 30 days.
Okta: At least 200 additional M365 tenants will show attacker-registered passkeys in audit logs by December 2024
Sources (3)
- [1]Primary Source(https://www.securityweek.com/okta-warns-of-vishing-attacks-targeting-microsoft-365-customers/)
- [2]Supporting Source(https://www.okta.com/blog/2024/08/okta-threat-intelligence-report-o-unc-066/)
- [3]Supporting Source(https://www.fbi.gov/scams-and-safety/common-scams-and-crimes/business-email-compromise)