passkeysvishingphishing

    Vishing Attacks Target Passkey Enrollment: A New Threat Vector

    Vishing campaigns are now exploiting passkey enrollment processes, tricking users into registering attacker-controlled passkeys. Learn how this new threat vector impacts enterprise security.

    Schutz IT 9 July 2026 6 min read

    Vishing Attacks Target Passkey Enrollment: A New Threat Vector

    Vishing Attacks Exploit Passkey Enrollment: A New Threat Vector

    The adoption of passkeys is revolutionizing identity and access management by offering a phishing-resistant, passwordless authentication method. However, threat actors are continuously adapting their tactics. Recent reports highlight a concerning trend: vishing campaigns specifically targeting enterprise passkey enrollment processes. These attacks, observed since April 2026, demonstrate a new and sophisticated threat vector that security architects and IAM engineers must address proactively.

    The Mechanics of the Attack

    Threat actors are leveraging a combination of social engineering and technical deception to compromise user accounts. The core of the attack involves:

    1. Vishing as the Initial Lure: Attackers initiate contact with targeted employees via phone, often impersonating IT support or security personnel. They inform the user that they need to enroll a new passkey for security reasons, creating a sense of urgency and legitimacy.
    2. Sophisticated Phishing Kits: Victims are directed to meticulously crafted phishing kits that mimic legitimate passkey enrollment portals, particularly those for platforms like Microsoft Entra. These kits are often panel-controlled, allowing attackers to adapt to different scenarios and track victim interactions.
    3. Real-Time Passkey Enrollment: The critical step occurs when the victim, believing they are securing their account, initiates the passkey enrollment process through the attacker's phishing kit. Unbeknownst to the user, the attacker is simultaneously registering their own passkey to the user's account in real-time. This effectively grants the attacker an authenticated, phishing-resistant credential to the victim's identity.

    Okta's threat intelligence, which tracks this activity under the actor O-UNC-066 (also known as "Pink"), indicates that these campaigns are targeting a wide range of industries, including food and beverage, technology, healthcare, automotive, construction, and aviation. The primary motivation appears to be data extortion [7].

    Why This Threat Is Significant for Enterprises

    This new wave of vishing attacks undermines one of the key benefits of passkeys: their inherent resistance to traditional phishing. While passkeys eliminate shared secrets like passwords and are cryptographically bound to specific devices and sites, a manipulated enrollment process creates a backdoor for attackers.

    • Circumventing Phishing Resistance: The attacks capitalize on the human element, tricking users into inadvertently authorizing an attacker's passkey. This bypasses the very mechanism designed to prevent credential theft.
    • Persistence and Account Takeover: Once an attacker has registered a passkey to a victim's account, they gain persistent access. This is a complete account takeover, providing the attacker with the same secure login capabilities as the legitimate user.
    • Scalability Concerns: The use of sophisticated, panel-controlled phishing kits suggests that these attacks are scalable and can be deployed against numerous targets simultaneously.
    • Erosion of Trust: Successful attacks can erode employee trust in new security initiatives, potentially hindering broader adoption of advanced authentication methods.

    Mitigating the Risk: A Multi-Layered Approach

    Enterprise security teams must evolve their strategies to counter these sophisticated vishing campaigns. A multi-layered approach encompassing technical controls, user education, and strict enrollment policies is essential.

    Technical Controls:

    • Conditional Access Policies: Implement robust conditional access policies that restrict passkey enrollment to trusted devices, networks, or locations. For highly sensitive accounts, consider requiring enrollment only from company-managed devices with specific security postures.
    • Enrollment Restrictions: Limit who can enroll passkeys and under what circumstances. For administrative accounts or critical infrastructure access, consider requiring in-person or multi-stage approval for new credential registrations.
    • Behavioral Anomaly Detection: Deploy systems that monitor for unusual passkey enrollment activities. For instance, an enrollment from an unrecognized IP address or device, or a high volume of enrollments from a single user in a short period, should trigger alarms.
    • Logging and Auditing: Ensure comprehensive logging of all passkey enrollment and usage events. Regularly audit these logs for suspicious activities. Detailed logging aids in detection and forensic analysis post-incident.

    User Education and Awareness:

    • Targeted Training on Vishing: Educate employees specifically about vishing tactics, particularly those involving requests to enroll or reset authentication methods. Emphasize that legitimate IT or security personnel will rarely, if ever, ask for such actions over an unsolicited phone call.
    • Verified Communication Channels: Instill a culture where employees verify the legitimacy of any security-related requests through established, trusted communication channels (e.g., calling a known help-desk number directly, not one provided by the caller).
    • Simulation Exercises: Conduct simulated vishing and social engineering attacks to test employee resilience and identify areas for further training. This helps employees recognize the signs of an attack in a controlled environment.
    • Passkey Best Practices: Reinforce the understanding that passkeys are highly secure when used correctly and explain how they should be enrolled and managed only through official, verified channels.

    Policy and Governance:

    • Clear Enrollment Policies: Establish clear, documented policies for passkey enrollment, including who can enroll, acceptable devices, and any required approval processes. These policies should be readily accessible to all employees.
    • Phased Rollouts: For critical systems or high-privilege users, consider a phased rollout of passkey enrollment. This allows the security team to monitor for anomalies and refine policies before widespread adoption.
    • Incident Response Preparedness: Update incident response plans to specifically address passkey compromise scenarios. This includes procedures for revoking attacker-controlled passkeys, re-securing accounts, and notifying affected users.

    The Future of Secure Authentication

    The emergence of these vishing attacks underscores a fundamental truth in cybersecurity: as defenses improve, attackers innovate. While passkeys represent a significant leap forward in authentication security by eliminating the threat of traditional password phishing, the human element remains a vulnerability.

    Singapore's rapid adoption of passkeys for its national digital ID system, Singpass, demonstrates the technology's potential to drastically reduce phishing losses [10]. However, the Microsoft Entra vishing campaigns are a stark reminder that even the most robust technical controls can be undermined by sophisticated social engineering. By proactively implementing stringent technical controls, comprehensive user education, and clear governance, enterprises can harness the power of passkeys while effectively defending against these evolving threats.

    Keep reading