Security Arsenal is tracking an active campaign identified by Okta as O-UNC-066, targeting organizations across multiple sectors. This threat actor has bypassed traditional technical controls by weaponizing the human element through a sophisticated voice-based social engineering (vishing) operation combined with a panel-controlled phishing kit.
The objective is alarming: tricking Microsoft 365 users into enrolling a fake Microsoft Entra passkey. Once enrolled, the actor gains persistent, phishing-resistant access to the victim's account, paving the way for data extortion and lateral movement. Because passkeys (FIDO2) are designed to be the gold standard of authentication, bypassing the enrollment validation process creates a critical blind spot for Security Operations Centers (SOCs). Defenders must act immediately to detect this enrollment behavior and harden their identity infrastructure against these social engineering attempts.
Technical Analysis
Affected Products & Platforms:
- Microsoft Entra ID (formerly Azure Active Directory)
- Microsoft 365 (Exchange Online, SharePoint Online, Teams)
- Platforms: Windows, macOS, iOS, Android (wherever M365 enrollment occurs)
Attack Mechanics (The Kill Chain):
-
Initial Contact (Vishing): The actor contacts the target user via voice call, spoofing internal IT support or security departments. They utilize a sense of urgency, claiming the user's account is compromised or requires immediate security upgrades.
-
The Phishing Kit (Panel-Controlled): The actor guides the user to a malicious web portal designed to mimic the legitimate Microsoft Entra passkey enrollment interface. This is not a static page but a kit controlled by an actor panel, allowing for dynamic adjustments and real-time session handling.
-
Enrollment Bypass: The user, believing they are securing their account, initiates the passkey enrollment process. The malicious site intercepts this request. Depending on the specific implementation of the kit, the user may be registering a passkey that is actually linked to the attacker's device or authorizing a session binding that the attacker controls.
-
Persistence & Extortion: With a valid passkey registered, the attacker possesses a phishing-resistant credential. They can access M365 services at will, often bypassing standard conditional access triggers that look for anomalous locations (as passkeys can be used securely from anywhere). The end goal is data exfiltration and extortion.
Exploitation Status:
- Status: Confirmed Active Exploitation (In-the-wild)
- CVE: Not applicable (Social Engineering / Identity bypass)
Detection & Response
The following detection rules are designed to identify the artifacts of this specific campaign. While social engineering is difficult to detect at the network perimeter, the outcome—the registration of a new authentication method—is a high-fidelity signal in cloud logs.
SIGMA Rules
---
title: Potential O-UNC-066 Entra Passkey Enrollment Activity
id: 8a2f1c22-9e4b-4d67-bc12-3e5a8f901234
status: experimental
description: Detects the registration of FIDO2 security keys (Passkeys) in Microsoft Entra ID. While legitimate, rapid or unexpected registrations may indicate the O-UNC-066 fake enrollment kit.
references:
- https://attack.mitre.org/techniques/T1098/
author: Security Arsenal
date: 2026/07/15
tags:
- attack.persistence
- attack.t1098.005
logsource:
product: azure
service: audit
definition: 'Requirements: Entra ID Audit Logs sent to Sentinel/SIEM'
detection:
selection:
OperationName|contains:
- 'Added authentication method'
- 'User registered security information'
TargetResources:
'*.Type': 'FIDO2'
condition: selection
falsepositives:
- Legitimate IT-led passwordless authentication rollouts
- Users self-enrolling personal security keys
level: high
---
title: Suspicious Entra ID Audit Activity via Non-Corporate Workstation
id: 9b3g2d33-0f5c-5e78-cd23-4f6b9g012345
status: experimental
description: Detects Entra ID administrative or credential registration operations initiated from devices not compliant with Conditional Access policies (if DeviceID is available and marked as unmanaged).
references:
- https://attack.mitre.org/techniques/T1078/
author: Security Arsenal
date: 2026/07/15
tags:
- attack.initial_access
- attack.t1078.004
logsource:
product: azure
service: signin
detection:
selection:
OperationName|contains:
'User registered security information'
DeviceDetail:
IsCompliant: 'false'
IsManaged: 'false'
condition: selection
falsepositives:
- Valid registration from personal BYOD devices if policy allows
level: medium
KQL (Microsoft Sentinel)
// Hunt for recent FIDO2/Passkey enrollments in Entra ID Audit Logs
AuditLogs
| where OperationName in ("User registered security information", "Added authentication method")
| extend Target = tostring(TargetResources[0].userPrincipalName)
| extend AuthMethod = tostring(TargetResources[0].modifiedProperties[1].newValue)
| where AuthMethod contains "FIDO2" or AuthMethod contains "Passkey"
| project TimeGenerated, OperationName, Target, AuthMethod, Caller, IpAddress
| order by TimeGenerated desc
Velociraptor VQL
This VQL artifact hunts browser history for interactions with keywords related to the fake enrollment process, filtering out legitimate Microsoft domains to isolate potential phishing sites.
-- Hunt for passkey enrollment related keywords in browser history
SELECT * FROM foreach(
{
SELECT OSPath FROM glob(globs="*/History", root=expand(path=%AppData%)+"/Google/Chrome/User Data/Default/*")
UNION ALL
SELECT OSPath FROM glob(globs="*/places.sqlite", root=expand(path=%AppData%)+"/Mozilla/Firefox/Profiles/*")
},
{
SELECT
Timestamp,
URL,
Browser,
Username
FROM browse(history=OSPath)
WHERE URL =~ "passkey"
OR URL =~ "enroll"
OR URL =~ "securityinfo"
AND NOT URL =~ "microsoft.com"
AND NOT URL =~ "live.com"
AND NOT URL =~ "msauth.net"
}
)
Remediation Script (PowerShell)
This script utilizes the Microsoft Graph PowerShell module to audit users for newly registered FIDO2 keys. Run this in a restricted context to identify potential compromise.
# Audit Entra ID for recently registered FIDO2 keys (O-UNC-066 Detection)
# Requires Microsoft.Graph PowerShell module and Connect-MgGraph -Scopes "UserAuthenticationMethod.Read.All"
Connect-MgGraph -Scopes "UserAuthenticationMethod.Read.All", "User.Read.All" -NoWelcome
$TimeFrame = (Get-Date).AddDays(-7)
$Results = @()
$Users = Get-MgUser -All -Property Id, UserPrincipalName, DisplayName
foreach ($User in $Users) {
$AuthMethods = Get-MgUserAuthenticationMethod -UserId $User.Id
foreach ($Method in $AuthMethods) {
# Filter for FIDO2 methods (Passkeys)
if ($Method.AdditionalProperties["@odata.type"] -eq "#microsoft.graph.fido2AuthenticationMethod") {
$CreatedDateTime = $Method.AdditionalProperties["createdDateTime"]
if ($CreatedDateTime -and [DateTime]$CreatedDateTime -gt $TimeFrame) {
$Results += [PSCustomObject]@{
UserPrincipalName = $User.UserPrincipalName
DisplayName = $User.DisplayName
AuthMethodType = "FIDO2 / Passkey"
Model = $Method.AdditionalProperties["model"]
CreatedDateTime = $CreatedDateTime
Status = "REVIEW: Recent Registration Detected"
}
}
}
}
}
if ($Results.Count -gt 0) {
$Results | Format-Table -AutoSize
Write-Warning "O-UNC-066 THREAT DETECTED: Users with new passkey enrollments found. Verify legitimacy immediately."
} else {
Write-Host "No new FIDO2 passkey enrollments detected in the last 7 days." -ForegroundColor Green
}
Remediation
To neutralize the O-UNC-066 threat vector and protect against fake passkey enrollments, implement the following defensive measures immediately:
-
Conditional Access Policies (Critical):
- Implement a Conditional Access policy that restricts the ability to register authentication methods (specifically FIDO2/Passkeys) to devices that are compliant or hybrid-joined to the corporate domain.
- Require Multi-factor Authentication (MFA) to access the "Security Info" registration page (
https://aka.ms/mfasetup). - Block registration from risky IP addresses or impossible travel contexts.
-
User Awareness & Vishing Drills:
- Immediately notify users that IT support will never call unsolicited to ask them to enroll a passkey or verify credentials via a web link.
- Conduct internal vishing simulations targeting the "passkey enrollment" scenario to train high-risk users.
-
Audit and Revoke:
- Run the PowerShell script above to identify any passkeys registered in the last 30 days.
- Contact the owners of these keys. If the enrollment is unsolicited or unrecognized, delete the authentication method immediately via the Microsoft Entra Admin Center > Users > Authentication methods.
-
Disable "Passwordless" Features (If Unused):
- If your organization does not actively utilize FIDO2/Passkeys, disable the registration capability via the Authentication methods policy in Entra ID to prevent attack surface expansion.
Related Resources
Security Arsenal Red Team Services AlertMonitor Platform Book a SOC Assessment pen-testing Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.