A Phished OTP Can Buy the Attacker a Passkey in Your Tenant, and the Registration Audit Trail Is Your Most Direct Signal
O-UNC-066 appears built to walk a victim through a fake passkey enrollment while the operator registers an attacker-controlled passkey in the real Entra tenant. It survives the password reset, and the most direct durable evidence is the authentication-method registration audit trail — written from a session your controls let through because the registration action was protected only by relayable MFA.