vishing attackspasskey securitymicrosoft 365 security

    Vishing Attacks Exploit Passkey Enrollment for M365 Account Takeover

    Threat actors are exploiting Microsoft 365 passkey enrollment through sophisticated vishing campaigns. Learn how to protect your enterprise from these evolving social engineering tactics.

    Schutz IT 10 July 2026 6 min read

    Vishing Attacks Exploit Passkey Enrollment for M365 Account Takeover

    Vishing Attacks Exploit Passkey Enrollment for M365 Account Takeover

    Recent reports indicate a significant escalation in social engineering tactics, with threat actors now weaponizing passkey enrollment processes to compromise enterprise Microsoft 365 accounts. This emerging threat, tracked by Okta as O-UNC-066 (and known as "Pink" by Palo Alto Networks Unit 42), highlights the persistent challenge of human-centric vulnerabilities in even the most advanced security frameworks. For enterprise security architects, CISOs, and IAM engineers, understanding and mitigating this specific vishing vector is crucial.

    The Attack Vector: Exploiting Trust in New Security Paradigms

    Passkeys are heralded as a significant leap forward in authentication, offering a phishing-resistant alternative to traditional passwords. However, the sophistication of these new vishing campaigns demonstrates that even robust security mechanisms can be undermined when users are manipulated. The attack typically begins with a voice-based phishing (vishing) call, where assailants impersonate IT support and instruct employees to "enroll a new passkey" for security reasons.

    Victims are then directed to meticulously crafted phishing pages that mimic legitimate Microsoft passkey enrollment flows, often customized to reflect the victim's organization's branding. What makes this particularly insidious is the real-time, operator-controlled nature of the phishing kit. Instead of a fully automated process, a live attacker guides the victim through the steps, adapting the user experience to bypass various multi-factor authentication (MFA) requirements, including TOTP, push notifications with number matching, and SMS OTPs [7, 8].

    During this guided process, the victim unknowingly authorizes the attacker to register their own passkey to the victim's Microsoft 365 account. This effectively grants the threat actor persistent access, allowing them to bypass subsequent authentication challenges and facilitate data extortion or further malicious activities [6, 9].

    Why This Threat Is Particularly Potent

    This vishing campaign leverages several critical factors that make it highly effective:

    • Exploitation of Trust: Attackers capitalize on the inherent trust users place in IT support and the urgency created by "security upgrade" directives.
    • Mimicry of Legitimate Processes: The phishing pages are designed to be almost indistinguishable from official Microsoft enrollment portals, reducing suspicion.
    • Real-time Adaptation: The ability of threat actors to dynamically respond to user actions and MFA challenges makes automated detection and prevention more difficult.
    • New Security Feature Exploitation: The attackers are quickly adapting to and exploiting newly rolled out security features, such as Microsoft's "passkey registration campaigns," which were intended to encourage adoption of passkeys [7].

    Implications for Enterprise Security Teams

    The O-UNC-066 campaign, which has targeted diverse sectors including food and beverage, technology, healthcare, automotive, construction, and aviation, underscores the need for enterprises to bolster their defenses against advanced social engineering [6, 9, 10].

    • Enhanced User Training: While passkeys are phishing-resistant, the enrollment process can be vulnerable to social engineering. Training must extend beyond general phishing awareness to include specific warnings about unsolicited requests to register or re-enroll passkeys. Emphasize that legitimate passkey enrollment should only occur through verified, known channels initiated by the user.
    • Strict Enrollment Controls: Review and tighten controls around passkey enrollment. Can specific IP ranges or devices be whitelisted for initial passkey registration? Implement policies that require additional, out-of-band verification for any new passkey enrollment request, particularly if initiated by a third party.
    • Monitoring and Alerting: Implement robust identity and access management (IAM) monitoring that specifically alerts on unusual or rapid passkey enrollment activities, especially if originating from new or uncharacteristic locations/devices. Behavioral analytics can help detect deviations from normal user patterns.
    • Incident Response Preparedness: Ensure incident response plans are updated to address passkey compromise scenarios, including rapid revocation of compromised passkeys and remediation of affected accounts.
    • Zero Trust Principles: Reinforce Zero Trust principles throughout your identity architecture. Even with strong authentication, continuously verify access requests and maintain least-privilege access to limit the blast radius of any successful compromise.

    Protecting Your Enterprise

    While passkeys represent a significant advancement for enterprise security, their successful adoption hinges not only on their cryptographic strength but also on the resilience of the human element and the processes surrounding their deployment. As threat actors continue to evolve their tactics, enterprises must continuously adapt their security strategies, focusing on comprehensive user education, stringent access controls, and vigilant monitoring to safeguard against sophisticated social engineering attacks exploiting even the most secure authentication methods. Organizations leveraging Microsoft 365 should be particularly attentive to this emerging threat vector and proactively implement mitigation strategies [7, 8].

    Keep reading