Security · 3h ago
Fake Voice Calls Trick Microsoft 365 Users Into Enrolling Malicious Passkeys
A threat actor tracked as O-UNC-066 is using voice-based phishing to trick Microsoft 365 users into enrolling fake Entra passkeys, enabling account takeover and data extortion. The attack targets organizations across multiple sectors with a panel-controlled phishing kit. Okta identified the campaign, which exploits the passkey enrollment process to gain persistent access.
Meridian48 take
This attack highlights a growing trend of voice phishing combined with identity enrollment abuse, underscoring that even passkey-based security can be undermined by social engineering.
Read the full reporting
Hackers Use Fake Microsoft Entra Passkey Enrollment to Gain Microsoft 365 Access →
The Hacker News
phishingmicrosoft-entra