passkeysvishingmicrosoft 365

    The Passkey Paradox: Vishing Exploits Enrollment Process

    A new vishing campaign targets Microsoft 365 users by exploiting the passkey enrollment process, highlighting critical vulnerabilities in user education and enterprise IAM strategies.

    Schutz IT 13 July 2026 6 min read

    The Passkey Paradox: Vishing Exploits Enrollment Process

    New Vishing Campaign Exploits Microsoft 365 Passkey Enrollment

    Recent reports indicate a sophisticated vishing campaign targeting Microsoft 365 users, exploiting the very process designed to enhance security: passkey enrollment. Threat actors are leveraging social engineering to trick employees into registering attacker-controlled passkeys, effectively bypassing multi-factor authentication (MFA) and gaining persistent access to enterprise accounts. This campaign underscores a critical vulnerability not in the passkey technology itself, but in the human element and the enrollment ceremony.

    The Attack Vector: Social Engineering Meets Security Rollout

    The campaign, attributed to an actor tracked as O-UNC-066 (also known as "Pink"), begins with a voice call to a targeted employee, purporting to be from internal IT support. The caller directs the victim to a phishing kit disguised as a legitimate Microsoft Entra ID login page, customized to appear as part of the victim's organization. The ruse involves convincing the user that they must enroll a new passkey for security reasons. During this process, while the victim believes they are securing their account, the attacker is silently registering their own passkey against the target's Microsoft 365 account. 8, 9

    This attack capitalizes on Microsoft's legitimate push for passkey adoption, specifically the "passkey registration campaigns" that administrators can initiate to encourage users to enroll passkeys. The threat actors have ingeniously turned this security-upgrade prompt into an attack pretext. 6

    Why This Matters for Enterprise Security

    This vishing campaign highlights several critical considerations for enterprise security teams:

    • Exploiting Trust and Urgency: The attackers are highly effective because they exploit the inherent trust employees place in their internal IT departments and the urgency often associated with security mandates. They adapt the authentication flow to match the victim's MFA requirements, making the deception highly convincing. 7
    • Persistent Access: Once an attacker's passkey is registered, they gain persistent, MFA-resistant access. This access survives password resets and traditional session revocations, making detection and remediation significantly more challenging. This creates a lasting backdoor into enterprise systems.
    • User Education Gaps: The success of this campaign points to a gap in user education regarding secure passkey enrollment processes. While passkeys are designed to be phishing-resistant, the enrollment phase introduces a new attack surface if not properly understood and governed.
    • Broader Industry Impact: The targeted organizations span multiple sectors, including food and beverage, technology, healthcare, automotive, construction, and aviation. This demonstrates the widespread applicability of such social engineering tactics and the critical need for robust defense mechanisms across industries.

    Mitigating the Risk: A Multi-pronged Approach

    Enterprises need to adopt a multi-faceted strategy to counter these evolving threats:

    • Enhanced User Training and Awareness: Regular and targeted training is crucial. Employees must be educated on the legitimate process of passkey enrollment, how to identify suspicious requests, and whom to contact for verification. Emphasize that legitimate IT support will never ask them to register a passkey over an unsolicited call.
    • Strengthened Enrollment Processes: Review and fortify passkey enrollment workflows. Consider implementing additional out-of-band verification steps for any new passkey registration, especially when initiated by a user or in response to a "campaign." This could involve a secondary confirmation via a trusted channel or requiring physical presence for initial setup.
    • Proactive Threat Intelligence: Stay informed about emerging social engineering tactics and vishing campaigns. Leverage threat intelligence to anticipate and prepare for attacks that mimic legitimate security initiatives.
    • Robust Monitoring and Anomaly Detection: Implement advanced logging and monitoring for passkey registrations and sign-in activities. Anomalous registrations (e.g., from unusual locations or devices) should trigger immediate alerts and investigations. This can involve integrating identity and access management (IAM) systems with Security Information and Event Management (SIEM) solutions.
    • Reviewing Microsoft 365 Security Configurations: Ensure that Microsoft 365 and Entra ID security settings are optimally configured to detect and prevent such attacks. This includes scrutinizing any third-party integrations that might inadvertently open pathways for compromise.

    The Future of Identity: Balancing Innovation with Security

    Passkeys represent a significant leap forward in authentication security, offering robust phishing resistance. However, the "Pink" campaign starkly illustrates that the benefits of new security technologies can be undermined if the human interface and transitional processes are not adequately secured. Enterprise security architects and IAM engineers must look beyond the technical specifications of new authentication methods and consider the entire lifecycle, including enrollment, recovery, and revocation, to build truly resilient identity postures.

    Keep reading