passkeysvishingphishing

    Vishing Attacks Target Passkey Enrollment: A New Threat Vector

    Vishing attacks exploiting Microsoft Entra passkey enrollment are a critical new threat. Learn how enterprises can protect against this sophisticated social engineering tactic.

    Schutz IT 12 July 2026 6 min read

    Vishing Attacks Target Passkey Enrollment: A New Threat Vector

    The Rise of Passkey Enrollment Vishing

    Passkeys have emerged as a promising phishing-resistant authentication method, designed to simplify user experience and enhance security by eliminating passwords. However, recent reports highlight a sophisticated social engineering tactic where threat actors are exploiting the passkey enrollment process itself through vishing attacks. This new threat vector underscores the ongoing challenge of human vulnerability in even the most advanced security frameworks.

    Several security advisories, including those from Okta and BleepingComputer, detail campaigns targeting Microsoft 365 users. 6 7 Threat actors, such as the group tracked as O-UNC-066 (also known as "Pink"), are leveraging voice-based phishing (vishing) to trick employees into enrolling attacker-controlled passkeys for their Microsoft 365 accounts. These attacks are not exploiting vulnerabilities in the passkey technology but rather the trust and unsuspecting nature of users during the enrollment phase.

    How the Attacks Work

    The vishing campaigns typically involve the following stages:

    1. Impersonation: The attacker initiates a phone call to a targeted employee, often impersonating IT support or a security team member. They claim that the employee needs to register a new passkey for security reasons or as part of a mandatory upgrade.
    2. Deception and Redirection: The attacker directs the victim to a malicious website, often a highly convincing phishing kit that mimics the legitimate Microsoft Entra ID login and passkey enrollment pages. These malicious sites are frequently customized to appear as if they belong to the victim's employer.
    3. Real-time MFA Bypass: The phishing kit is sophisticated enough to adapt to the victim's Multi-Factor Authentication (MFA) requirements in real-time. This dynamic adaptation allows the attackers to guide the victim through what appears to be a legitimate authentication flow, including entering their credentials and completing MFA challenges (e.g., TOTP, push notifications, SMS OTP).
    4. Attacker-Controlled Passkey Enrollment: Crucially, during this orchestrated process, the victim is led to enroll a passkey that is actually generated and controlled by the attacker. Once this passkey is successfully registered on the employee's account, the attacker gains persistent, MFA-resistant access. This access survives password resets and typical session revocations, making detection and remediation challenging.

    Reports indicate that these campaigns have successfully targeted enterprise organizations across various sectors, including food and beverage, technology, healthcare, automotive, construction, and aviation. The primary motivation for these attacks is often data extortion. 8

    Implications for Enterprise Security Teams

    This new wave of vishing attacks highlights several critical considerations for enterprise security architects, CISOs, and IAM engineers:

    • User Training is Paramount: Even with advanced authentication methods like passkeys, social engineering remains a potent threat. Consistent, updated, and highly realistic security awareness training focusing on recognizing vishing attempts and suspicious enrollment processes is essential.
    • Beyond Technical Controls: While passkeys offer strong technical protection against phishing, their efficacy is diminished if the enrollment process can be hijacked. Security strategies must extend beyond purely technical controls to address the human element and procedural vulnerabilities.
    • Monitoring and Alerting on Enrollment Activities: Enterprises need robust monitoring and alerting mechanisms specifically for passkey enrollment activities. Unusual or unscheduled passkey registrations, particularly for high-privilege accounts, should trigger immediate investigation.
    • Out-of-Band Verification for Critical Changes: Implement strict out-of-band verification requirements for any critical identity changes, including new passkey enrollments. This could involve direct contact with the user via a trusted, pre-registered channel (e.g., a known phone number or internal chat system) to confirm the legitimacy of the request.
    • Reviewing Passkey Deployment Strategies: As enterprises accelerate passkey adoption, it's crucial to review deployment strategies for potential social engineering weaknesses. This includes how users are informed about passkey enrollment, the channels used for communication, and the authentication flows involved.
    • Incident Response Playbooks: Revamp incident response playbooks to include specific scenarios for hijacked passkey enrollments. The persistence of attacker access through their own passkey necessitates different remediation steps than traditional credential theft.

    Protecting Your Organization

    To mitigate the risk of passkey enrollment vishing, enterprises should adopt a multi-faceted approach:

    • Educate Users Continuously: Regularly educate employees on the latest social engineering tactics, emphasizing the importance of verifying unexpected requests for security changes or passkey enrollments. Teach them to be skeptical of any unsolicited calls or messages, even if they appear to be from internal IT.
    • Implement Strong Enrollment Policies: Define clear and secure policies for passkey enrollment. Consider dedicated, controlled enrollment processes (e.g., requiring physical presence or specific internal tools) for highly sensitive accounts or roles.
    • Leverage Behavior Analytics: Employ identity and access management (IAM) solutions with behavioral analytics capabilities to detect anomalous login patterns or passkey usage that deviates from typical user behavior.
    • Regular Audits of Registered Passkeys: Conduct periodic audits of registered passkeys across the organization, validating ownership and legitimacy to identify any unauthorized enrollments.
    • Secure Communication Channels: Ensure that all official communications regarding security updates, especially those concerning authentication methods, are delivered through verified, secure internal channels.

    While passkeys represent a significant leap forward in authentication security, their strength is ultimately tied to the integrity of their lifecycle, from initial enrollment to ongoing management. By understanding and proactively addressing these emerging social engineering threats, enterprises can ensure that the benefits of passkeys are fully realized without introducing new vulnerabilities. The onus is on security teams to anticipate how threat actors will adapt and to build resilient defenses that account for both technological and human factors.

    Keep reading