The Attack Mechanism
Since April 2026, a threat group tracked as UNC 066 has been running a phone based phishing campaign that exploits Microsoft Entra passkey enrollment to hijack corporate accounts. Attackers call employees directly, posing as IT support, and claim their account needs a new passkey. They send a link to a fake login page that mirrors the company’s branding. Unlike fully automated phishing kits, this attack uses a live operator behind the scenes who walks each victim through the process step by step, adapting fake screens based on whether the account uses SMS codes, authenticator prompts, or push notifications.
The Payload and Persistence
The fake enrollment process serves as a way to plant a persistent foothold inside the account. After capturing credentials and bypassing multi factor authentication in real time, the attacker registers their own passkey while the victim is distracted by a fake recovery phrase screen. Microsoft sends a legitimate notification when a new passkey is added, but victims often dismiss it because they believe they completed the process themselves. Security researchers from Okta identified the campaign and linked the group to a public data leak site used to pressure victims for extortion, rather than immediate financial fraud.
Impact and Defenses
Affected industries span food and beverage, technology, healthcare, automotive, construction, and aviation. The phishing kit does not interact with third party identity providers, so organizations using external federation appear safe, while those relying on native authentication remain at risk. Security teams should enroll users in phishing resistant authenticators, train staff to verify IT support identity, restrict account access by device and geography, and configure alerts for every authenticator lifecycle event to flag unexpected passkey registrations.
Source: Cyber Security News
