vishingpasskeysmicrosoft 365

    Vishing Attacks Exploit Passkey Enrollment: A New Threat

    Bad actors are targeting Microsoft 365 users with vishing attacks that exploit passkey enrollment processes. Learn how to protect your enterprise.

    Schutz IT 11 July 2026 6 min read

    Vishing Attacks Exploit Passkey Enrollment: A New Threat

    Vishing Attacks Exploit Passkey Enrollment: A New Threat Vector

    The adoption of passkeys is a significant step forward in securing enterprise identities, offering a more robust and phishing-resistant authentication method than traditional passwords and even many forms of multi-factor authentication (MFA). However, recent reports highlight a sophisticated vishing campaign that exploits the very enrollment process designed to enhance security, targeting Microsoft 365 users across various industries. Enterprise security teams must understand this evolving threat to adequately protect their organizations.

    The Anatomy of the Attack

    Threat actors, notably tracked by Okta as O-UNC-066 (also known as "Pink"), are executing highly targeted voice-based phishing (vishing) attacks. These attacks leverage a new capability in Microsoft Entra that allows administrators to initiate passkey registration campaigns to encourage user adoption. The attackers exploit this context to social engineer users into unwittingly compromising their accounts.

    The attack typically unfolds in several stages:

    • Initial Contact: Employees receive a vishing call, with the attacker impersonating IT support or security personnel. The pretext is often a "necessary security upgrade" requiring passkey enrollment.
    • Deceptive Redirection: The victim is then directed to a malicious website, often a subdomain that incorporates "passkey" in its name to appear legitimate. This site is a panel-controlled phishing kit designed to mimic the official Microsoft passkey enrollment process. The kit is highly adaptive, allowing the attacker to customize the authentication flow to match the victim's specific MFA requirements (e.g., TOTP, push notifications, SMS OTP).
    • Credential Harvesting and Passkey Compromise: As the victim attempts to "enroll" their passkey on the fake site, the real-time interaction with the phishing kit enables the attacker to capture session information and potentially register an attacker-controlled passkey to the victim's Microsoft 365 account. This grants the attacker persistent, unauthorized access.

    This sophisticated approach combines social engineering with adaptive phishing infrastructure, making it particularly challenging to detect with automated defenses alone. The attacker's ability to adapt the phishing flow to the victim's MFA setup significantly increases the likelihood of success.

    Why This Threat Is Significant for Enterprises

    This vishing campaign underscores several critical considerations for enterprise security architects, CISOs, and IAM engineers:

    • Erosion of Trust in New Security Measures: Passkeys are designed to combat phishing, yet this attack leverages the enrollment process itself as a vector. This can erode user trust in new security initiatives and make future security rollouts more difficult.
    • Advanced Social Engineering: The use of vishing, combined with real-time adaptive phishing kits, represents a higher level of sophistication than many traditional phishing attacks. It targets human vulnerabilities directly, circumventing technical controls designed to block automated attacks.
    • Microsoft 365 Account Takeover: Successful attacks lead to Microsoft 365 account compromise, which can result in data exfiltration, business email compromise (BEC), and further lateral movement within the organization. The primary motivation observed in this campaign is data extortion (ref 6).
    • Risk to Passkey Adoption Initiatives: As enterprises increasingly move towards passwordless authentication with passkeys, these types of attacks can impede adoption and force a re-evaluation of deployment strategies before the full benefits of passkeys can be realized.

    Protecting Your Enterprise Against Passkey Enrollment Vishing

    Mitigating this specific threat requires a multi-faceted approach that combines technical controls, robust policies, and continuous user education.

    Technical and Policy Controls

    1. Monitor Passkey Registrations: Implement continuous monitoring of passkey registrations within your identity provider (IdP) logs, specifically looking for unusual patterns or registrations from unmanaged devices. Alerts should be configured for any external or suspicious passkey enrollments.
    2. Restrict Enrollment Sources: Where possible, restrict passkey enrollment to enterprise-managed devices or IT-controlled processes. This can significantly reduce the attack surface by preventing attackers from registering their own passkeys during a compromised enrollment.
    3. Implement Conditional Access Policies: Leverage conditional access policies to enforce strict controls around passkey enrollment. For example, require enrollment only from trusted locations or compliant devices.
    4. Review and Secure Admin Capabilities: Regularly review how administrators can initiate passkey registration campaigns. Ensure these capabilities are used securely and that any related communications to users are official and distinct.

    User Education and Awareness

    1. Educate on Vishing Tactics: Conduct regular, targeted training for all employees on vishing attacks. Emphasize that legitimate IT or security teams will rarely, if ever, ask for personal authentication details or guide users through a sensitive enrollment process over an unsolicited phone call.
    2. Verify Requests: Instruct users to always verify any unexpected security-related requests, especially those involving authentication or enrollment, through established internal channels (e.g., a known IT helpdesk phone number or internal ticketing system), independent of the communication channel used by the attacker (ref 7).
    3. Recognize Phishing Kits: Train users to identify common indicators of phishing sites, even highly sophisticated ones. While these kits are adaptive, discrepancies in URLs, slight visual inconsistencies, or unusual requests can be red flags.
    4. "Think Before You Click/Act" Campaigns: Reinforce a culture of skepticism regarding unusual requests, particularly those that create a sense of urgency or fear.

    The Path Forward

    The emergence of vishing attacks targeting passkey enrollment highlights that even the most robust authentication mechanisms are vulnerable if the human element is not adequately secured. While passkeys offer a superior security posture against many traditional attack vectors, enterprises must remain vigilant and proactive in adapting their security strategies to counter evolving social engineering tactics.

    Securing the enterprise in the age of passkeys and beyond requires a holistic approach: continuously monitoring identity infrastructure, implementing stringent access policies, and, crucially, empowering users with the knowledge to recognize and resist sophisticated social engineering attempts (ref 8). This ongoing adaptation is key to maintaining a strong security posture against the adversaries who constantly seek to exploit any available vulnerability. vector. vulnerability, human or technical.

    Keep reading