Entra Passkey Enrollment Vishing Targets Microsoft 365 Users
A threat actor is using voice phishing to trick Microsoft 365 users into enrolling a fake Entra passkey, aiming to compromise accounts.

A sophisticated threat actor is actively targeting Microsoft 365 users with a novel vishing (voice phishing) campaign designed to trick them into enrolling a fraudulent Entra passkey. The attackers impersonate IT support personnel, initiating contact via phone calls to unsuspecting employees within targeted organizations. Their objective is to guide victims through a simulated passkey enrollment process, ultimately aiming to gain unauthorized access to their Microsoft 365 accounts.
The social engineering tactic employed in this attack is particularly insidious. Threat actors leverage the increasing adoption of passkeys for enhanced security and convenience, twisting this legitimate security feature into a vector for compromise. By posing as trusted IT staff, they create a sense of urgency and legitimacy, making it more likely for users to comply with their instructions. The attackers meticulously guide victims through a series of steps that mimic a genuine passkey enrollment, often involving fake websites or prompts that capture the user's credentials or passkey information.
This attack exploits the human element of security, preying on users' trust in their internal IT departments and their desire to maintain secure access to their work accounts. The use of voice calls adds a layer of personal interaction that can be more persuasive than traditional email phishing. Victims are likely unaware they are interacting with malicious actors until it is too late, by which point their account credentials or passkey information may have already been compromised.
The ultimate goal of this campaign is account takeover. Once an attacker obtains a valid Entra passkey or the associated credentials, they can bypass multi-factor authentication (MFA) and gain full access to the victim's Microsoft 365 environment. This could lead to data breaches, financial fraud, the deployment of further malware, or the use of the compromised account to launch attacks against other users within the organization.
While the article does not specify a particular CVE, this attack highlights the evolving landscape of credential theft and account compromise. As organizations increasingly adopt modern authentication methods like passkeys, threat actors adapt their techniques to target these new systems. This incident underscores the importance of continuous security awareness training for employees, emphasizing the need to verify requests, especially those involving sensitive credentials or security configurations, through independent channels.
Organizations using Microsoft 365 should reinforce security best practices, including educating users about vishing and passkey enrollment procedures. Employees should be trained to be skeptical of unsolicited calls requesting security actions and to always verify such requests through official IT support channels or by contacting their IT department directly using known contact information, rather than relying on information provided by the caller. The rise of such sophisticated social engineering attacks necessitates a multi-layered security approach that combines technical controls with robust user education.