A new vishing campaign targeting Microsoft 365 users has been identified, described by Okta as employing voice calls that lead victims to counterfeit login pages prompting passkey registration. The campaign, tracked as O-UNC-066, has chiefly impacted sectors including automotive and healthcare, with attackers registering domains containing 'passkey' to mislead users.
The fraudulent pages mimic Microsoft branding closely, tricking users into allowing attackers to register their own passkeys while seemingly enrolling legitimate ones. The threat actors adapt their tactics in real time based on the victim's MFA requirements, utilizing anti-analysis techniques and custom phishing pages throughout the attack stages. Okta warns that attackers may use BIP-39 seed phrases as distractions while successfully enrolling malicious passkeys in compromised accounts.