TechBriefe
Tech Briefing

Entra Passkey Enrollment Vishing Scams Target Microsoft 365 Users

Rachel Lin 13.07.2026

How the Vishing Scheme Bypasses Traditional Defenses

A new voice‑phishing campaign is tricking Microsoft 365 users into installing fake Entra passkeys. The attacks began in early 2024 and have hit companies in finance, healthcare, and education. Fraudsters pose as IT staff, demanding immediate enrollment to „secure” accounts.

The scammers exploit a recently released feature that lets administrators push Entra passkey enrollment via phone. Victims receive a convincing call, often with a spoofed company number, and are instructed to follow a link sent by the attacker. Once the bogus passkey is entered, the malicious actor can hijack the user’s identity and access sensitive data. Researchers say the technique leverages trust in internal support channels and the novelty of passkey technology, making it harder for users to recognize the threat.

The attackers avoid typical email filters by using voice calls, a channel that many security tools do not monitor. They first gather employee names from public LinkedIn profiles, then craft a script that references recent internal projects. „The social engineering element is very strong,” said security analyst Maya Patel. „People expect a call from IT when a new security feature rolls out, so they comply without question.” The fraudsters also mimic the tone and terminology used in Microsoft’s official communications, further blurring the line between legitimate and malicious requests. By the time the passkey is entered, the victim’s account is already linked to the attacker’s credentials.

Why Are Passkeys Becoming a Prime Target?

Passkeys are promoted as a password‑less alternative that reduces phishing risk, yet they also become a valuable asset for attackers. Once a passkey is registered, it can be used to authenticate without additional factors, granting the fraudster seamless access. „If a malicious actor captures a passkey, they essentially own the account,” explained Dr. Luis Ortega, a cyber‑risk researcher. The new enrollment workflow, designed for convenience, inadvertently provides a shortcut for social engineers. Organizations that have not updated their user education programs are especially vulnerable, as many employees remain unfamiliar with the concept of passkeys and how they differ from traditional passwords.

The fallout from successful vishing attacks can be severe, ranging from data breaches to ransomware deployment. Experts advise companies to reinforce verification steps, such as requiring a secondary confirmation channel for any passkey enrollment. Ongoing monitoring of voice‑based interactions and rapid incident response will be critical as attackers refine their tactics.

Frequently Asked Questions

What should users do if they receive an unexpected call about passkey enrollment? Verify the request through an official internal channel, such as a known IT ticketing system, before proceeding with any enrollment steps.

Can existing security solutions detect this type of vishing attack? Most email‑centric security tools cannot, but voice‑call monitoring and employee training can help identify suspicious calls.

Is the Entra passkey feature itself unsafe? The feature is secure when used correctly; the risk lies in how attackers manipulate users into enrolling fraudulent passkeys.

Share:

More stories: