Last updated: July 9, 2026 at 7:32 AM UTC
All 580 Vulnerability 209 Breach 109 Threat 255 Defense 7
Tag: entra (1 article)Clear

Attackers phone Microsoft 365 users to walk them through fake passkey setup

Okta warns of a campaign that phones Microsoft 365 users and talks them through what looks like setting up a passkey, but is actually a phishing kit that hands their account to the attacker. Active since April, the operators register passkey-themed domains and call targets, exploiting unfamiliarity with how passkeys really work. The kit mimics Microsoft's passkey enrollment without registering a real passkey, and pushes the victim to "save a recovery key" that the attacker controls, capturing the access needed to take over the account. The campaign, aimed at extortion, notably targets the passkey adoption process itself, turning a security upgrade into a social-engineering opening.

Check
Tell staff that Microsoft passkey setup happens through a device system prompt, not a phone call or web form, and that anyone calling to walk them through passkey registration is suspicious.
Affected
Microsoft 365 users unfamiliar with passkey enrollment; a convincing phone call plus a look-alike registration page can trick them into handing over the access an attacker needs to take over the account.
Fix
Train users on the genuine passkey enrollment flow, restrict who can register new authentication methods and recovery keys, monitor Entra for unexpected authentication-method changes, and verify unsolicited passkey calls internally.