passkeysvishingphishing

    Vishing Targets Passkey Enrollment: A New Threat Vector

    Examine how vishing attacks exploit passkey enrollment processes in Microsoft 365, turning security upgrades into new vulnerabilities for enterprises. Learn how to protect your organization.

    Schutz IT 15 July 2026 6 min read

    Vishing Targets Passkey Enrollment: A New Threat Vector

    The Paradox of Progress: Passkeys and New Attack Surfaces

    Passkeys represent a significant leap forward in authentication security, offering a phishing-resistant alternative to traditional passwords and even many forms of multi-factor authentication (MFA). By leveraging public-key cryptography, passkeys aim to eliminate shared secrets, thereby removing the most common vectors for credential theft. However, as is often the case with technological advancements, new attack surfaces can emerge during the adoption and enrollment phases. Recent reports highlight a sophisticated vishing campaign that exploits the very process of passkey enrollment within Microsoft 365 environments, turning a security upgrade into a critical vulnerability for enterprises.

    Vishing Attacks Exploit Enrollment Flows

    Threat actors are actively leveraging voice-based social engineering (vishing) to trick employees into registering attacker-controlled passkeys. This campaign, tracked by Okta as O-UNC-066 and by Palo Alto Networks as "Pink," preys on the ongoing push by organizations to adopt stronger authentication methods. The attacks unfold as follows:

    • Impersonation: The attackers initiate phone calls to targeted employees, impersonating internal IT support or security teams.
    • Pretexting: They create a convincing pretext, claiming that the employee needs to enroll a new Microsoft Entra passkey for security reasons or compliance. This aligns with legitimate organizational messaging around passkey adoption, making the call appear credible.
    • Phishing Kit Diversion: Victims are directed to a malicious subdomain that mimics the legitimate Microsoft Entra ID login and passkey enrollment pages. This isn't a typical credential phishing site; it's a sophisticated phishing kit that dynamically adapts to the user's MFA requirements.
    • Malicious Enrollment: While the victim follows instructions to "enroll" their passkey, the attackers are quietly registering their own passkey to the victim's Microsoft 365 account. The sophisticated kit can even handle various MFA types, including TOTP, push notifications with number matching, and SMS OTP, to maintain the illusion while the malicious registration occurs. BleepingComputer reported on this campaign in early July 2026.

    This method bypasses the inherent phishing resistance of passkeys by manipulating the human element during the initial setup. The article by Help Net Security further details how the Pink cyber extortion crew leverages this technique.

    The Impact on Enterprise Security

    Even with Microsoft's move to make passkeys the default authentication method in Entra ID by September 2026, and its plans to retire native SMS and voice authentication for MFA by February 2027, the enrollment phase remains a weak link as reported by Redmondmag.com.

    For enterprises, this attack vector highlights several critical takeaways:

    The Human Factor Remains Paramount

    Even the most technologically robust authentication mechanisms can be undermined by social engineering. This campaign underscores that user education and awareness remain foundational to enterprise security. Employees must be trained to recognize and report suspicious requests, even those that appear to come from internal IT.

    Enrollment Processes are New Attack Surfaces

    As organizations transition to passwordless authentication, the onboarding and enrollment workflows become prime targets. Security teams must scrutinize these processes for potential manipulation and implement additional safeguards around passkey registration.

    The Need for Robust Out-of-Band Verification

    Enterprises need to establish clear, secure, and independent channels for verifying legitimate IT requests, particularly when they involve significant security changes like passkey enrollment. Relying solely on the communication channel initiated by the attacker is a critical vulnerability.

    Comprehensive Identity Governance

    Beyond simply deploying passkeys, enterprises require a mature identity governance framework. This includes robust monitoring for unauthorized credential changes, prompt detection of suspicious login activity, and streamlined processes for revoking compromised credentials.

    Protecting Your Organization

    To mitigate the risks posed by these evolving threats, enterprise security architects and CIAM engineers should consider the following:

    • Enhanced User Education: Conduct frequent, targeted training on social engineering tactics, specifically highlighting vishing attempts related to passkey enrollment. Emphasize that IT will never ask for credentials over the phone or demand immediate action on security changes through unsolicited calls.
    • Multi-Channel Verification: Implement policies requiring employees to independently verify any request for security changes, such as passkey enrollment, through official, pre-established channels (e.g., a known internal helpdesk number, a pre-assigned IT ticket system, or a secure internal portal) before proceeding.
    • Conditional Access Policies: Leverage Microsoft Entra Conditional Access to restrict passkey registration to trusted devices, networks, or geographies where possible. This can add a layer of protection against unauthorized enrollments from external sources.
    • Audit and Monitoring: Continuously monitor identity logs for unusual passkey registrations or modifications. Implement alerts for new authentication methods registered to user accounts, especially if they originate from unfamiliar IPs or devices.
    • Phased Rollouts and Communication: When rolling out passkeys, communicate clearly and consistently with users about the legitimate process. Provide examples of what a real enrollment prompt looks like and what employees should not do if contacted externally.
    • Review and Harden Enrollment Workflows: Work with your CIAM and PKI teams to scrutinize passkey enrollment flows. Can any steps be made more resistant to manipulation? Are there opportunities to add secondary, out-of-band approvals for critical changes?

    The shift to passwordless authentication with passkeys is a crucial step towards a more secure digital landscape. However, threat actors are agile and will continuously seek new weaknesses. By understanding these emerging attack vectors and proactively strengthening both technical controls and human defenses, enterprises can fully realize the security benefits of passkeys while minimizing exposure to sophisticated social engineering campaigns.

    Keep reading