In short: Attackers are using vishing calls to manipulate users into registering fake Entra passkeys and gain access to Microsoft 365 environments.
Attackers are conducting vishing campaigns in which they call Microsoft 365 users and request them to register new Entra passkeys. The campaign targets organizations across multiple sectors.
A threat group is currently executing orchestrated vishing campaigns against organizations in multiple industries. Attackers call employees and impersonate security personnel or technical support staff to convince targets to register new Entra passkeys.
For CISOs, this campaign represents a significant risk because Entra passkeys are a modern authentication method with strong cryptographic foundations. If attackers can manipulate a user into registering a passkey they control, they gain legitimate access to Microsoft 365 resources – bypassing multi-factor authentication and Conditional Access policies.
Classic technical controls such as IP blocking or anomaly detection become ineffective once a registered passkey is authenticated. In vishing scenarios, users can be emotionally manipulated when the caller demonstrates corporate knowledge or provides correct contextual information.
Mitigation measures include: training all employees on vishing detection, establishing clear internal processes for authentication requests (never by phone), using Conditional Access to restrict passkey registration to trusted devices and known locations, and proactively monitoring Entra audit logs for suspicious passkey registrations.
Source: www.bleepingcomputer.com · Published July 8, 2026
Lumi AI News — AI-assisted curation pursuant to Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.3.