general · TheHackerNews
A threat actor tracked by Okta as O-UNC-066 has been conducting voice-based phishing campaigns targeting Microsoft 365 users across multiple sectors including food and beverage, technology, healthcare, automotive, construction, and aviation. The attacker calls targeted users claiming they need to enroll a new Entra passkey, then directs them to a phishing kit that mimics Microsoft's legitimate passkey enrollment process. The operator-controlled PHP panel guides victims through credential harvesting and MFA challenges in real-time, adapting to different authentication methods (TOTP, push notifications, SMS OTP). Once credentials and MFA tokens are captured, the attacker enrolls their own passkey in the victim's Microsoft account, granting unauthorized access. The threat actor associated with O-UNC-066 operates a data leak site called Pink and is reportedly affiliated with a decentralized cybercrime collective.
For organizations subject to CMMC, SOC2, or HIPAA requirements, this campaign highlights a critical gap between adopting phishing-resistant authentication (like passkeys) and user awareness. Defense contractors handling CUI should review whether passkey enrollment campaigns are creating social engineering opportunities among staff. SaaS teams in SOC2 observation should consider how real-time operator control over phishing pages defeats traditional detection and assess whether user training adequately covers vishing tactics targeting modern authentication workflows. Healthcare providers under HIPAA should evaluate whether passkey rollouts include sufficient user authentication and account takeover detection controls. An Omniware engagement can scope the risk of authentication-layer social engineering in your specific deployment and recommend detection or incident response measures.
Source: The Hacker News - https://thehackernews.com/2026/07/hackers-use-fake-microsoft-entra.html
Source: TheHackerNews
All briefings