Since April 2026, a threat actor tracked as O-UNC-066 has been phoning employees and walking them through a spoofed Microsoft 365 passkey enrollment process, stealing their credentials and hijacking corporate accounts. Identity security firm Okta disclosed the campaign on Wednesday, warning that the attackers are using a purpose-built phishing kit designed to capture authentication tokens during the passkey setup.
The attack: a phone call, a fake security alert, and a rogue passkey
According to Okta’s investigation, the attack chain begins with a targeted phone call. The attacker, posing as an IT helpdesk representative, contacts an employee—often someone with access to sensitive systems or financial data—and claims there is an urgent security issue with their Microsoft 365 account. The employee is then directed to visit a website that mimics the legitimate Microsoft login or security setup page.
That site, built with a phishing kit Okta has linked to O-UNC-066, prompts the user to go through what appears to be a standard passkey enrollment flow. Passkeys are a modern, phishing-resistant authentication method that uses cryptographic key pairs stored on a device instead of passwords. But the enrollment process itself is a critical vulnerability: if an attacker tricks a user into registering a passkey on a device the attacker controls, the attacker gains persistent access to the account.
In this campaign, when the employee follows the instructions and completes the enrollment, the newly created passkey is tied to the attacker’s infrastructure—not the employee’s device. The phishing kit captures the resulting authentication token, effectively handing over full account access. Because the passkey is now associated with the attacker, subsequent login attempts do not trigger multi-factor authentication (MFA) prompts for the legitimate user, making the takeover stealthy.
Okta noted that the attackers have been careful to use phone calls rather than email, likely to bypass spam filters and build trust through real-time social engineering. The calls are reportedly convincing, with attackers citing details like recent login activity or referencing specific internal projects gleaned from public sources or previous data breaches.
What it means for your organization
For corporate security teams, this campaign tears up the assumption that passkeys are inherently unphishable. While the technology is designed to resist classic credential harvesting, the human element in enrollment remains a ripe target. A successful attack yields the attacker a fully authenticated session, often with the same privileges as the legitimate user. From there, business email compromise, data exfiltration, or lateral movement into sensitive systems are all on the table.
For the employee who falls victim, the experience is disorienting. The passkey appears to have been set up correctly, and there is no obvious password theft or MFA alert to raise suspicion. The account might continue to function normally for the user while the attacker operates in the background.
Small businesses and enterprises using Microsoft 365 are equally exposed, especially if they have recently encouraged or mandated passkey adoption without training users about phishing risks during enrollment. The attack specifically targets organizations that have enabled passkey support within Microsoft 365—a setting that is on by default for many tenants.
How we got here: passkeys, phishing, and the arms race
Passkeys, built on the FIDO2 and WebAuthn standards, were hailed as the end of passwords and a bulletproof shield against phishing. Unlike passwords or one-time codes, a passkey is tied to a specific domain and cannot be tricked into being sent to an impostor site. That makes traditional man-in-the-middle phishing useless.
But as security architects have long warned, the Achilles’ heel is the enrollment ceremony. If an attacker can convince a user to enroll a passkey on a rogue device or browser session controlled by the attacker, they can then impersonate the user on any device. The attack doesn’t break the cryptography; it sidesteps it entirely.
This isn’t the first time passkey enrollment has been exploited. In early 2025, researchers demonstrated a proof-of-concept attack against consumer Google accounts using a similar approach. The O-UNC-066 campaign is notable because it’s a sustained, targeted operation against corporate Microsoft 365 tenants—and because it employs phone-based social engineering rather than email phishing.
Microsoft has added protections such as device-bound passkeys and attestation requirements, but many default configurations still allow cross-device enrollment scenarios that make such attacks feasible. Okta’s disclosure signals that threat actors are actively refining their tactics to exploit the gap between passkey security promises and real-world implementations.
Immediate steps to protect your organization
IT administrators should act now to review and harden passkey enrollment policies within Microsoft 365. Here are concrete actions, based on Okta’s advisory and prevailing security guidance:
- Restrict passkey enrollment to managed devices only. In Microsoft Entra ID, create an authentication strengths policy that requires passkeys be device-bound and enrolled only from devices that are either Azure AD joined or compliant. This prevents enrollment from an attacker’s unmanaged machine.
- Enable attestation for passkeys. Where possible, require that enrolled passkeys provide hardware attestation, proving they were created in a trusted execution environment (like a TPM). This makes it much harder for a rogue passkey to be accepted.
- Disable the default “any” authenticator attachment mode. In Entra ID’s WebAuthn settings, switch from “any” to “platform” or “cross-platform” with caution. For most corporate use, “platform” ensures the passkey is stored in the device’s native credential manager (Windows Hello, Apple Face ID, etc.) and not a roaming USB key an attacker could mail to a user.
- Monitor for unusual passkey enrollment events. Use Microsoft 365 audit logs (specifically the “User registered security info” event) and SIEM alerts to flag passkey registrations from unfamiliar IP addresses, devices, or during off-hours. Okta suggests looking for registrations followed by immediate login from a different location.
- Train users on vishing and passkey scams. Explicitly include passkey-enrollment phishing in security awareness programs. Teach employees that no legitimate IT representative will ever call and guide them through an unsolicited security setup. If in doubt, they should hang up and call the helpdesk using a known internal number.
- Consider blocking passkey enrollment entirely until controls are in place. If your organization cannot enforce device-bound enrollment today, disabling passkeys temporarily and relying on other MFA methods may reduce risk—though this should be weighed against the phishing protection passkeys offer when configured correctly.
- Review Conditional Access policies. Create a policy that revokes sessions or requires re-authentication if a passkey enrollment is detected from a risky sign-in.
For Microsoft, the spotlight is on whether default configurations are too permissive. Okta’s disclosure may prompt faster implementation of stricter enrollment guardrails, such as requiring an existing strong authentication factor before allowing passkey registration.
Outlook: what to watch next
Passkey adoption is accelerating as major platforms push a passwordless future. This attack is a reminder that no single technology is a silver bullet—security depends on the entire enrollment and recovery chain. Okta expects copycat campaigns to emerge, potentially using AI-generated voice calls to scale the vishing component. Microsoft will likely publish updated guidance for passkey security, and enterprise identity providers may introduce new anti-phishing signals during enrollment. In the near term, organizations that rush to deploy passkeys without layered controls will remain prime targets.