Bottom line: Attackers use phone calls to convince Microsoft 365 users to register fake Entra passkeys and thereby compromise access privileges.
Attackers are conducting vishing campaigns that trick Microsoft 365 users into registering a new Entra passkey. The campaign affects organizations across multiple sectors.
A threat actor is currently conducting targeted vishing calls against Microsoft 365 environments. The attackers pose as security personnel and pressure users to register a new Entra passkey. Entra passkeys are Microsoft’s modern, passwordless authentication mechanisms that are promoted as a security improvement.
The campaign targets organizations across various industries. The social engineering approach via phone calls is based on the growing adoption of passkeys in enterprise environments and the unfamiliarity of many employees with the registration process. Attackers leverage authenticity and urgency to convince users to confirm suspicious registration steps.
For CISOs, this means that even modern authentication mechanisms do not protect against social engineering. Employee training on vishing tactics is necessary, along with clear internal protocols for authentication requests and controls in Entra administration that detect or block unusual passkey registrations. At the same time, MFA configurations should be reviewed to prevent newly registered passkeys from becoming active immediately.
Source: www.bleepingcomputer.com · Published July 8, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.3.