Breaking Alerts

O-UNC-066 Leverages Vishing to Hijack Entra Passkeys for Extortion

O-UNC-066 Leverages Vishing to Hijack Entra Passkeys for Extortion
Views:
16
CVSS Score:No CVSS Score
Published:
1d ago

Executive Summary

  • Sophisticated Vishing Campaign: Threat actor O-UNC-066 is employing voice-based social engineering (vishing) to trick Microsoft 365 users into enrolling new Entra ID passkeys.
  • Targeting Advanced Authentication: The campaign specifically exploits the passkey enrollment process, a critical step in adopting stronger, phishing-resistant authentication methods.
  • Advanced Phishing Kit: A custom, panel-controlled phishing kit facilitates the manipulation of the passkey enrollment workflow, indicating a high level of technical sophistication.
  • High-Impact Objective: The ultimate goal of these compromised accounts is to execute data extortion attacks, posing a severe risk to targeted organizations across multiple sectors.

Detailed Analysis

A new and concerning campaign, attributed by Okta to the threat actor O-UNC-066, is actively targeting organizations across diverse sectors. This group is utilizing a sophisticated blend of social engineering and technical exploitation to compromise Microsoft 365 user accounts, with the ultimate aim of data extortion.

The core of the attack involves "voice-based fake security requests," a vishing technique where attackers impersonate IT support or security personnel. These calls manipulate users into believing there's an urgent security issue requiring their immediate attention. The critical step in this deception is coercing users to enroll a new Entra ID (formerly Azure AD) passkey. This is a particularly insidious tactic because passkeys are generally considered a highly secure, phishing-resistant form of authentication. By tricking users into enrolling an attacker-controlled passkey, O-UNC-066 gains a persistent, strong authentication method to the victim's account.

To facilitate this, O-UNC-066 employs a custom, panel-controlled phishing kit specifically designed to interact with and manipulate the Entra passkey enrollment process. This indicates a deep understanding of Microsoft's authentication mechanisms and the ability to craft highly convincing, real-time phishing interfaces that guide victims through the malicious enrollment. Once a new, unauthorized passkey is enrolled, the threat actor can bypass existing multi-factor authentication (MFA) and gain full access to the user's Microsoft 365 environment.

Why This Matters

This campaign represents an evolution in attacker methodologies. While organizations are increasingly adopting phishing-resistant MFA like passkeys, O-UNC-066 demonstrates that the initial enrollment phase remains a vulnerable link if not properly secured and understood by users. The use of vishing adds a layer of social engineering that often bypasses traditional email security filters, making it harder for users to detect. Furthermore, the explicit goal of data extortion signifies a direct path to significant financial and reputational damage, moving beyond simple credential theft to high-stakes leverage. This trend highlights the continuous need for robust user education that extends beyond recognizing email phishing to understanding the nuances of voice-based threats and the critical importance of scrutinizing any request to enroll new authentication methods.

Key Indicators / Technical Highlights

  • Threat Actor: O-UNC-066 (tracked by Okta)
  • Attack Technique (TTPs): Vishing (Voice Phishing), Passkey Enrollment Manipulation, Credential Phishing (MITRE ATT&CK T1566.001, T1566.002)
  • Targeted Systems: Microsoft 365, Microsoft Entra ID (Passkey enrollment process)
  • Tools: Panel-controlled phishing kit designed for passkey enrollment.
  • Primary Goal: Data Extortion via compromised Microsoft 365 accounts.
  • Targeted Users: Microsoft 365 users across multiple sectors.

Risk Assessment

  • Severity: Critical
  • Justification: This campaign combines sophisticated social engineering (vishing) with technical exploitation of a strong authentication enrollment process (Entra passkeys) to achieve high-impact data extortion. It bypasses established security controls and targets the human element, posing an immediate and severe threat to data integrity and organizational operations.

Recommendations

  1. User Education & Awareness: Conduct regular training on recognizing vishing attempts. Emphasize that legitimate IT support will rarely, if ever, ask users to enroll a new passkey over the phone or via unsolicited links.
  2. Scrutinize Enrollment Requests: Instruct users to be extremely cautious of any request to enroll a new authentication method, especially if it originates from an unexpected call or email. All such requests should be verified through official, out-of-band channels.
  3. Conditional Access Policies: Implement robust Conditional Access policies within Microsoft Entra ID to restrict passkey enrollment to trusted networks, compliant devices, or specific administrative roles.
  4. Monitor Entra ID Logs: Actively monitor Entra ID sign-in and audit logs for unusual passkey enrollments, new authentication method registrations, or logins from anomalous locations or devices.
  5. Phishing-Resistant MFA Implementation: While passkeys are strong, ensure that the process of their initial enrollment is secure. For critical accounts, consider FIDO2 security keys that require physical presence and user interaction.
  6. Incident Response Planning: Develop and regularly test incident response plans specifically for data extortion and credential compromise scenarios, including steps for account lockout, credential revocation, and data recovery.

Source Attribution

This analysis is based on threat intelligence insights regarding the O-UNC-066 campaign, as tracked and reported by Okta.

#Vishing #OUC066 #EntraID #PasskeySecurity #Microsoft365 #DataExtortion #CybersecurityThreat #PhishingKit #ThreatIntelligence #MFAbypass