Vishing Attacks Target Passkey Enrollment: A New Threat Vector
Passkeys are lauded as a significant leap forward in authentication, offering a phishing-resistant, passwordless experience. However, recent developments highlight a critical new vulnerability: the passkey enrollment process itself. Threat actors are now exploiting the very mechanism designed to enhance security, demonstrating that even the most robust authentication methods can be undermined by sophisticated social engineering.
The Rise of Vishing in Passkey Enrollment
Recent campaigns, particularly targeting Microsoft 365 users, reveal a concerning trend. An extortion group, tracked as O-UNC-066 (also known as "Pink"), has been observed employing vishing tactics to hijack Microsoft Entra passkey enrollment. This sophisticated social engineering campaign preys on human trust and a lack of awareness regarding the nuances of new authentication methods [6].
The attack typically unfolds as follows:
- Vishing Call: The victim receives a call from an attacker impersonating IT support, claiming it's time to set up a passkey for security purposes.
- Malicious Lure: The victim is directed to a spoofed Microsoft Entra ID login page, meticulously crafted to resemble their organization's portal.
- Credential Harvesting & Passkey Registration: The victim is instructed to log in with their existing Microsoft 365 credentials, including their second authentication factor. Crucially, while the victim believes they are enrolling their passkey, the attackers are actively registering their own passkey to the victim's account [9].
This method bypasses the inherent phishing resistance of passkeys by manipulating the user during the initial setup. Once the attacker's passkey is registered, they gain persistent, MFA-resistant access, effectively owning the victim's Microsoft 365 account.
Why This is a Critical Enterprise Threat
This type of attack is particularly insidious because it leverages legitimate workflows and a technology—passkeys—that enterprises are actively adopting to strengthen their security posture. Several factors make this a significant threat:
- Exploiting Trust: Attackers capitalize on the inherent trust employees place in their IT departments. The perceived legitimacy of the enrollment request makes victims more susceptible.
- Bypassing MFA: Traditional multi-factor authentication (MFA) mechanisms are rendered ineffective once an attacker registers their own passkey, as they can then authenticate directly without needing to intercept subsequent MFA challenges.
- Persistent Access: Unlike session hijacking, which can be transient, a registered passkey grants persistent access, surviving password resets and session revocations, making detection and remediation more challenging.
- Timing of Adoption: The timing of these attacks coincides with Microsoft's push for passkey adoption in Entra ID, including automatic enablement for users and the retirement of SMS/voice authentication by February 2027 [8]. This creates a window where users are being "nudged" towards passkeys, making the attacker's pretext more believable.
Organizations are in a transition period. While entities like Microsoft are making passkeys the default authentication method in Entra ID by September [7], the process of migration can introduce new attack surfaces if not managed carefully.
Mitigating the Risk of Passkey Enrollment Hijacking
Enterprises must proactively address this emerging threat by focusing on a multi-pronged approach that combines user education, robust identity governance, and continuous monitoring.
1. Enhance User Education and Awareness
Training employees to recognize and report social engineering attempts is paramount. Specific guidance should include:
- Verify Requests: Instruct employees to verify any unexpected requests for passkey enrollment through official IT channels (e.g., internal ticketing systems, known IT contact numbers) before proceeding.
- Understand Legitimate Workflows: Educate users on the legitimate process for passkey registration within the organization, so they can identify anomalies.
- Be Suspicious of Urgency: Social engineering often relies on creating a sense of urgency. Employees should be cautious of requests demanding immediate action.
2. Implement Strong Identity Governance and Lifecycle Management
Effective governance is crucial for managing the entire identity lifecycle, including passkey enrollment.
- Enrollment Controls: Implement strict controls around who can enroll passkeys and under what circumstances. Consider requiring administrative approval or ensuring enrollments only occur on trusted, corporate-managed devices.
- Audit and Monitor: Continuously audit passkey registrations and monitor for unusual activity. Rapid detection of unauthorized passkey enrollments is critical for containment.
- Policy Enforcement: Define and enforce clear policies for passkey usage and management, including procedures for revoking unauthorized passkeys quickly.
3. Leverage Technical Safeguards
While user awareness is vital, technical controls provide a necessary layer of defense.
- Conditional Access Policies: Utilize Conditional Access policies to restrict passkey enrollment to trusted networks or compliant devices.
- Phishing-Resistant MFA Prioritization: Prioritize the deployment of truly phishing-resistant MFA methods that are not susceptible to enrollment hijacking (e.g., FIDO2 keys with physical presence requirements).
- Out-of-Band Verification: For critical access, consider implementing additional out-of-band verification steps for any significant changes to authentication methods, including passkey enrollment.
Conclusion
The move towards passkeys represents a significant security enhancement for enterprises. However, the sophistication of current threat actors means that even advanced authentication mechanisms are not immune to social engineering. The "Pink" group's success in hijacking Microsoft 365 accounts via fake passkey setups underscores the importance of a holistic security strategy that combines robust technical controls, stringent identity governance, and continuous user education. Enterprises must prepare not just for the adoption of new technologies, but also for the evolving tactics attackers will use to subvert them.