Okta Threat Intelligence published research on July 6, 2026 into a threat actor it tracks as O-UNC-066, and the campaign is notable for what it leaves out rather than what it includes. There is no phishing email, no spoofed domain, and no malicious attachment anywhere in the initial attack chain. Instead, the operation runs entirely over the phone, talking employees into enrolling a passkey that belongs to the attacker rather than to them. By the time the account is compromised, the attacker is operating inside a fully authenticated Microsoft 365 session, and every piece of mail infrastructure downstream of that session, including DMARC, has nothing unusual to flag.
How the Vishing Attack Works
Palo Alto Networks Unit 42 tracks the same activity cluster as CL-CRI-1147 and describes it as affiliated with The Com, the loose cybercrime collective whose orbit also includes Scattered Spider, ShinyHunters, and LAPSUS$. Since April 2026, O-UNC-066 has registered domains that work the word “passkey” into their name, then called targeted employees directly, posing as IT or security staff and telling them a new passkey needs to be registered on their account for security reasons. The victim is walked, live, through a phishing kit that closely imitates the real Microsoft Entra passkey enrollment flow. Because the kit is operator-controlled rather than fully automated, the attacker on the call adapts in real time to whatever MFA method the victim’s account actually uses, steering the conversation until the victim approves what they believe is a routine security upgrade. What they are actually approving is the attacker’s own device being registered as a trusted authenticator on their account.
Who Is Being Targeted
Okta has observed O-UNC-066 targeting enterprise organizations across food and beverage, technology, healthcare, automotive, construction, and aviation. The threat actor is not opportunistic mass-market crime; it is deliberate, sector-spread targeting consistent with a group that has done its homework on which organizations are worth the time a live phone call requires. On May 31, 2026, the group stood up a data leak site under the name Pink, giving away its actual objective: this is an extortion operation. Once inside a Microsoft 365 tenant, Pink moves quickly to pull data out of SharePoint and OneDrive, then uses the leak site to pressure victims into paying rather than have that data published.
Why DMARC Never Sees This
It is worth being explicit about why this campaign sits entirely outside what DMARC, SPF, and DKIM were built to check. Those three protocols exist to verify one thing: that an email claiming to come from a given domain actually originated from infrastructure that domain’s owner authorized. A vishing call is not an email. It never touches SMTP, never carries a From header, and never generates a single DMARC-relevant signal, because the entire attack, from the first ring to the passkey approval, happens over a phone network that email authentication has no visibility into whatsoever.
The part that should concern defenders more is what happens after the call ends. Once the attacker’s device is enrolled as a legitimate authenticator, they are not forging the victim’s identity from outside; they are the victim’s identity, as far as Microsoft 365, Entra, and every downstream service can tell. If that attacker chooses to send mail from the compromised mailbox, whether internal BEC-style requests or messages to external partners, that mail will carry a real, valid DKIM signature, will originate from Microsoft’s own authorized sending infrastructure, and will pass DMARC alignment cleanly at any recipient checking it. The account takeover happened entirely outside DMARC’s field of view, and the fraud that can follow it is engineered to pass every check DMARC performs.
What Defenders Should Do
Treat passkey and MFA enrollment requests as a privileged action, not a routine one. Any request to register a new authenticator, made by phone, should be verified through a callback to a known internal number or a ticket in your existing IT service system, never by trusting the caller on the line.
Train employees specifically on vishing, separately from email phishing training. Most security awareness programs are built almost entirely around spotting suspicious emails and links. A caller who sounds calm, references real internal terminology, and frames the request as standard security hygiene is a different skill to defend against, and it needs its own training track.
Monitor for new authenticator enrollments as a detection signal, not just a provisioning event. A passkey or MFA method added outside a known onboarding or device-refresh window, especially one added shortly before unusual SharePoint or OneDrive activity, is exactly the pattern this campaign produces.
Keep DMARC enforcement in place regardless. Locking your domains to p=reject does nothing to stop a vishing-based account takeover, but it still closes the separate, simpler door of someone spoofing your domain outright from outside. The two controls protect against different failure modes, and neither is a substitute for the other.
The Takeaway
O-UNC-066 is a reminder that the account behind your DMARC policy is only as trustworthy as the process used to authenticate into it. DMARC protects the claim that a message came from your domain’s authorized infrastructure. It says nothing about who is sitting behind that infrastructure once they have talked their way past your MFA. As attackers keep finding channels, like a phone call, that never generate an email in the first place, the account itself becomes the thing worth watching, not just the mail it eventually sends.
Excello Mail gives you continuous visibility into your DMARC aggregate reports and authorized sending sources, so a compromised account sending unexpected mail through your own infrastructure is easier to spot. Sign up for free to Excello Mail to keep that visibility in place while your team locks down how MFA and passkeys get enrolled.