Vishing Attacks Target Passkey Enrollment: A Growing Enterprise Threat
The Rise of Vishing in Passkey Enrollment
Passkeys promise a future of phishing-resistant authentication, eliminating traditional passwords and enhancing enterprise security postures. However, recent developments highlight a critical vulnerability not in the passkey technology itself, but in the human element of its enrollment process. Threat actors are now leveraging sophisticated vishing (voice phishing) campaigns to hijack passkey enrollment procedures, gaining persistent and MFA-resistant access to enterprise accounts, particularly within Microsoft 365 environments.
This evolving threat underscores the need for enterprises to re-evaluate their security protocols around passkey adoption and focus on robust identity governance during rollout phases. As organizations like Microsoft accelerate passkey adoption by making them the default authentication method in Entra ID (Microsoft Entra ID security updates: Passkeys are the default authentication method in Entra ID | Microsoft Security Blog), the attack surface around enrollment procedures becomes a prime target for adversaries.
How the Attack Works: Social Engineering the Enterprise
The vishing campaign operates by exploiting trust and leveraging social engineering tactics. A threat group, tracked as O-UNC-066 (also known as "Pink"), has been observed cold-calling enterprise employees across various industries. Impersonating corporate IT support, these attackers guide victims through a seemingly legitimate "new passkey enrollment for security" process (Your Passkey Is Now Theirs: How Hackers Are Hijacking Microsoft Entra Passkey Enrollment to Own Microsoft 365 Accounts - PurpleSec).
The core of the attack lies in the attacker