Attackers phone Microsoft 365 users to walk them through fake passkey setup
Okta warns of a campaign that phones Microsoft 365 users and talks them through what looks like setting up a passkey, but is actually a phishing kit that hands their account to the attacker. Active since April, the operators register passkey-themed domains and call targets, exploiting unfamiliarity with how passkeys really work. The kit mimics Microsoft's passkey enrollment without registering a real passkey, and pushes the victim to "save a recovery key" that the attacker controls, capturing the access needed to take over the account. The campaign, aimed at extortion, notably targets the passkey adoption process itself, turning a security upgrade into a social-engineering opening.
- Check
- Tell staff that Microsoft passkey setup happens through a device system prompt, not a phone call or web form, and that anyone calling to walk them through passkey registration is suspicious.
- Affected
- Microsoft 365 users unfamiliar with passkey enrollment; a convincing phone call plus a look-alike registration page can trick them into handing over the access an attacker needs to take over the account.
- Fix
- Train users on the genuine passkey enrollment flow, restrict who can register new authentication methods and recovery keys, monitor Entra for unexpected authentication-method changes, and verify unsolicited passkey calls internally.