Ravie LakshmananJul 10, 2026Enterprise Security / Authentication

A threat actor has been targeting organizations spanning multiple sectors with voice-based fake security requests that prompt Microsoft 365 users to enroll a new Entra passkey with an aim to carry out data extortion attacks.

The threat actor, tracked by Okta under the moniker O-UNC-066, has deployed a panel-controlled phishing kit that's capable of targeting the passkey enrollment process. The activity has singled out food and beverage, technology, healthcare, automotive, construction, and aviation industries.

"The threat actor registers domains that incorporate the word passkey as part of a voice-enabled phishing ('vishing') scheme," Okta researcher Houssem Eddine Bordjiba said. "The threat actor then calls targeted users on the phone in an attempt to persuade them that they need to register a new passkey."

Users are then directed to a phishing kit that's identical to the Microsoft passkey enrollment process, giving the impression that they are adding a passkey with Microsoft, when, in reality, the threat actor registers their own passkey against their Microsoft account, granting them unauthorized access.