They Called Your Employee and Stole Their Passkey. Here's How Attackers Are Hijacking Microsoft 365 Accounts Right Now.
A threat actor has been weaponizing Microsoft's own passkey security upgrade to take over M365 accounts across healthcare, tech, and finance. Here's what business leaders need to know.
Your IT team rolled out passkeys. They told employees it was more secure than passwords. They were right — passkeys are harder to phish than passwords.
Then attackers figured out how to weaponize the rollout itself.
Since April 2026, a threat actor tracked as O-UNC-066 — also identified by Palo Alto Networks Unit 42 as CL-CRI-1147 — has been running a highly targeted voice phishing (vishing) campaign against organizations in healthcare, technology, food and beverage, automotive, and aviation. Their goal: convince employees to hand over control of their Microsoft 365 accounts by exploiting the passkey enrollment process Microsoft itself just pushed out.
Okta's Threat Intelligence team published the advisory on July 5. The technique is sophisticated, the targeting is deliberate, and the implications are significant for any organization running Microsoft 365.
What Actually Happens
The attack starts with a phone call.
An employee receives a call from someone claiming to be from their company's IT department or Microsoft support. The caller says the company is rolling out new passkeys — that part is true, because Microsoft has been nudging users to enroll in passkeys since May 2026. The employee is told they need to complete the enrollment by clicking a link and following the steps.
The link takes them to a convincing phishing kit that mirrors Microsoft Entra ID's legitimate passkey enrollment flow, complete with the victim organization's own logo and branding pulled from the real site. As the employee goes through what looks like a routine security setup, the attacker is simultaneously enrolling their own passkey in the victim's Microsoft 365 account — with real-time operator control of the phishing kit down to a one-second heartbeat.
By the time the employee finishes clicking through the screens, the attacker has added their own authentication credential to the victim's account. They can now log in as that employee, anytime, without a password.
The attackers then use that access for data extortion.
Why This Works So Well
A few factors combine to make this attack unusually effective.
First, timing. Microsoft's passkey rollout is real. Employees have actually been receiving enrollment nudges. When a caller says you need to complete your passkey setup, the request is plausible — not because the attacker is technically brilliant, but because they're riding a legitimate security initiative.
Second, the phishing kit is operator-steered in real time. This isn't a static phishing page. A human attacker is watching the victim's progress and advancing them through each stage of the fake enrollment flow at exactly the right moment. This real-time interaction makes it much harder to detect — and much easier to guide confused employees through the process.
Third, passkeys were supposed to be the solution to phishing. For years, security teams have been moving users away from passwords precisely because passwords are phishable. Passkeys were positioned as the answer. The psychological effect of an attacker hijacking the enrollment process for your anti-phishing upgrade is disorienting — and effective.
Who's Being Targeted
Okta has confirmed targeting across multiple industries: healthcare, technology, food and beverage, automotive, construction, and aviation. This is not a spray-and-pray campaign. The attackers are registering per-target subdomains customized with each victim organization's branding, which means they're doing reconnaissance before they call. They know who they're targeting, they've done the prep work, and they're calling specific employees at specific companies.
The threat group is also operating a data leak site, which tells you what they do with access once they have it. They're not just watching. They're exfiltrating and threatening to publish.
Three Questions to Ask Your Security Team This Week
This attack doesn't require technical sophistication from the victim. It requires only a phone call and a plausible pretext. That means your defense can't rely entirely on technology.
One: Do your employees know what a legitimate passkey enrollment request looks like — and what it doesn't look like? Microsoft's legitimate passkey enrollment happens through your own Microsoft Entra portal, not through a phone call to an IT helpdesk. If an employee is called and told to click a link to enroll a passkey, that should be a red flag. This is trainable. Most organizations haven't done the training yet.
Two: Can you detect a new authenticator being added to a user account? Microsoft Entra generates alerts when new authentication methods are added. Many organizations have these notifications turned off or not reviewed. If an attacker enrolls a passkey in your employee's account, you should know about it within minutes — not days.
Three: Do you have an out-of-band verification procedure for IT requests that arrive via phone? Voice-based social engineering is the entry point for a disproportionate number of major breaches — the JLR attack, the Medtronic attack, and now this campaign. If your employees have no way to verify that a caller is who they say they are, your identity stack has a gap that no amount of MFA can close.
The Bigger Pattern
This attack is part of a broader trend worth naming directly: attackers are no longer just attacking your security tools. They're attacking your security initiatives.
The passkey rollout was a defensive move. The BlueHammer campaign exploited Microsoft Defender — your antivirus. Attackers compromised FortiGate firewalls — your network perimeter. The pattern is consistent: the tools and upgrades your team deploys to improve security are themselves becoming attack surfaces, either technically or socially.
This doesn't mean stop rolling out passkeys. Passkeys are genuinely more secure than passwords and you should complete your rollout. It means security technology deployments need to be paired with communication, training, and alert monitoring — not just configuration and rollout.
What TrustPoint Recommends
If your organization is in the middle of a passkey or MFA upgrade, take three immediate steps. Brief employees on what legitimate IT requests look like and create a simple escalation path for anything that arrives via phone. Turn on and review Entra authentication lifecycle alerts. And establish a callback procedure — any IT request that involves account changes should be verifiable by calling an IT number your employees already know, not a number provided by the caller.
TrustPoint Cyber helps organizations build identity security programs that account for the human layer — because that's where most attacks land first. If you'd like a quick review of your current M365 identity configuration and alert posture, reach out. We'll tell you what you actually need to see.
Ready to strengthen your security?
TrustPoint Cyber delivers Zero Trust architecture, incident response, managed security, and vCISO services — built for your business.