passkeysvishingmicrosoft 365

    Vishing Targets Passkey Enrollment: A New Attack Vector

    Vishing campaigns are exploiting legitimate Microsoft 365 passkey enrollment flows. Learn how threat actors bypass MFA and what enterprises must do to protect user accounts.

    Schutz IT 14 July 2026 6 min read

    Vishing Targets Passkey Enrollment: A New Attack Vector

    The Evolving Threat of Vishing in Passkey Enrollment

    Recent reports highlight a critical new attack vector: vishing campaigns exploiting how organizations onboard and enroll users for passkeys. Threat actors are leveraging legitimate processes to bypass multi-factor authentication (MFA) and gain persistent access to Microsoft 365 accounts. This strategy underscores a significant challenge for enterprise security teams moving towards passwordless authentication: the human element remains a primary vulnerability, even with advanced cryptographic methods [6, 8].

    How the Attack Works

    The attack begins with a vishing call to a targeted employee, where the attacker impersonates IT support. Under the guise of a security upgrade, they instruct the victim to enroll a new Microsoft Entra passkey. The victim is then directed to a sophisticated phishing kit that meticulously imitates the legitimate Microsoft passkey enrollment process. This kit adapts to the victim's specific MFA requirements (e.g., push notifications, TOTP, SMS OTP) in real-time, making the social engineering highly convincing [9].

    The critical step involves tricking the user into registering a passkey that is covertly controlled by the attacker. Once this malicious passkey is registered, the threat actor gains persistent, MFA-resistant access to the user's Microsoft 365 account. This access survives password resets and traditional incident response playbooks, posing a severe threat to enterprise data and operations [10].

    The Allure of Passkeys and Their Vulnerability

    Passkeys represent a significant leap forward in authentication, offering a phishing-resistant, passwordless experience. Microsoft, among other tech giants, has actively promoted passkey adoption, even implementing "nudge campaigns" to encourage users to enroll FIDO2 passkeys for their Microsoft 365 accounts [7]. The underlying cryptographic strength of passkeys remains robust. However, this new vishing technique exploits the enrollment process rather than the passkey technology itself.

    The convenience and enhanced security of passkeys are undeniable, replacing traditional passwords with cryptographically secure credentials tied to devices. Yet, the initial setup phase often requires user interaction, creating a window for social engineering. As enterprises accelerate their adoption of passkeys to combat phishing and credential theft, understanding and securing this enrollment phase becomes paramount.

    Implications for Enterprise Security Teams

    This emerging threat highlights several critical considerations for enterprise security architects, CISOs, and IAM engineers:

    • Securing the Enrollment Workflow: The focus must shift beyond the cryptographic robustness of passkeys to comprehensively secure the entire passkey lifecycle, particularly the enrollment and recovery processes. This involves scrutinizing how users are guided through passkey setup and ensuring these processes are impervious to social engineering.
    • Enhanced User Education: While passkeys are designed to be user-friendly, employees need education on the specific threats related to passkey enrollment. Training should emphasize that legitimate IT support will rarely, if ever, guide users through an immediate, unsolicited passkey setup over the phone.
    • Robust Out-of-Band Verification: Any process involving the enrollment or modification of high-security authentication methods like passkeys should ideally incorporate robust out-of-band verification. This could include confirmation through a different, pre-registered device or a separate, secure communication channel.
    • Monitoring and Alerting on Enrollment Anomalies: Enterprises must implement telemetry and alerting capabilities to detect unusual passkey enrollment activities. This includes monitoring for enrollments from unfamiliar locations or devices, or a sudden surge in enrollments for specific users.
    • Reviewing Passkey Management Policies: Organizations should review their Entra ID (and other identity provider) policies regarding passkey registration campaigns and user enrollment flows. This includes assessing default behaviors and ensuring that administrative controls effectively mitigate the risk of malicious enrollment.

    Proactive Measures for Protection

    To counter these sophisticated vishing attacks, enterprise security teams should consider the following proactive measures:

    1. Strict Enrollment Policies: Implement policies that require explicit administrative approval or multi-step verification for new passkey enrollments, especially for critical accounts.
    2. Continuous Awareness Training: Regularly update security awareness training to include examples of passkey enrollment vishing. Emphasize verification procedures for any IT requests, particularly those involving security credentials.
    3. Harden Attack Surfaces: Limit direct phone-based support for sensitive identity operations where possible, or ensure such interactions are initiated and verified through secure, known channels.
    4. Leverage Identity Provider Features: Actively utilize security features offered by identity providers like Microsoft Entra ID to monitor and restrict passkey enrollment to trusted devices and networks.
    5. Incident Response Playbooks: Update incident response playbooks to specifically address potential passkey compromise scenarios, including procedures for revoking malicious passkeys and re-securing affected accounts.

    As organizations embrace passwordless futures, the threat landscape adapts. While passkeys offer superior protection against many traditional attacks, the ingenuity of threat actors in exploiting process vulnerabilities means that vigilance, robust governance, and continuous security education remain indispensable elements of a strong enterprise security posture.

    Keep reading