password-security-guideINFO

Passkeys Can Still Be Phished - During Enrollment: the Entra Vishing Attack (2026)

Passkeys resist phishing at login, but a 2026 campaign targets the enrollment step: attackers call Microsoft 365 users and walk them through registering a passkey the attacker controls. How it works, and how not to fall for it.

By Eric Gerard · Editor · PwdFortress4 min readPhoto via Pexels

Passkeys are the strongest everyday defense against phishing when you sign in: there is no password to steal, and the credential is tied to the real website, so a fake login page captures nothing useful. But a campaign that came to light in 2026 shows where the weak point moved. The attackers do not fight the login - they target the enrollment: they call Microsoft 365 users and walk them through registering a passkey the attacker controls. Here is how it works, and how not to fall for it.

How the attack works

According to BleepingComputer, a threat actor has been phoning Microsoft 365 users - voice phishing, or vishing - since April 2026, posing as IT or security and urging them to enroll a new Entra passkey "for better protection". To sell the deception, the victim is directed to a phishing kit that imitates Microsoft's genuine passkey enrollment flow, run from an operator-controlled panel where the attacker guides the target step by step and adapts to whichever multi-factor method they use.

The result is the trap: the victim believes they are registering a passkey on their own account, while the attacker is actually registering a passkey they control. Okta, which tracks the actor as O-UNC-066 (an extortion operation it calls Pink), has reported the same cluster targeting organizations across food and beverage, technology, healthcare, automotive, construction and aviation.

A worried person on a phone call in front of a laptop - vishing attacks start with an unexpected call pushing you to act quickly.
A worried person on a phone call in front of a laptop - vishing attacks start with an unexpected call pushing you to act quickly.

Why passkeys do not stop this

It is worth being precise about what passkeys protect. At sign-in, a passkey is phishing-resistant by design: the private key never leaves your device, and it only works on the genuine domain, so a copycat login page has nothing to phish. This attack does not touch that.

Enrollment is a different moment. Here you are being asked to add a credential, and the target is the human decision to go ahead, not the cryptography. If you are talked into completing an attacker-driven registration, the maths worked perfectly - it just registered the wrong key. That is why "phishing-resistant" describes the login, not a social-engineered enrollment.

A hand approving a phone unlock with a fingerprint - the enrollment step, where a vishing call tries to slip in an attacker's passkey.
A hand approving a phone unlock with a fingerprint - the enrollment step, where a vishing call tries to slip in an attacker's passkey.

The twist: it abuses a real Microsoft feature

What makes the pretext so convincing is timing. In May 2026 Microsoft gave administrators the ability to run passkey registration campaigns - legitimate prompts that nudge users to enroll a passkey for stronger authentication. That is a genuine improvement. But it also means employees now expect to be asked to set up a passkey, so a call saying "we need you to enroll your passkey now" no longer sounds strange. A real security feature became a ready-made cover story.

How to protect yourself

  • Never enroll a passkey because of an incoming call. Real IT teams do not phone you and walk you through registering a credential in real time.
  • Only enroll from a session you started. Type the official address into your browser or open the official app yourself - do not follow a link or a spoken instruction from a caller.
  • Verify first. If you get a call or message telling you to enroll a passkey now, confirm it through a known internal channel before doing anything.
  • Admins: monitor passkey registrations, alert on newly added credentials, and remind staff that enrollment prompts should be initiated by the user, never completed live on an unsolicited call.

For your personal accounts too

The same logic applies beyond the workplace. Only add a passkey when you started the action in the genuine app, and keep your real passkeys and two-factor codes in one trusted place so you always know what you have actually registered. A vishing call has far less to work with when you have a clear picture of your own credentials.

The bottom line

Passkeys still beat passwords, and you should keep using them - but "phishing-resistant" describes the sign-in, not the enrollment. The Entra vishing campaign is a reminder that the human step of adding a credential is the new target. Never enroll a passkey because someone called you; only ever from a flow you started yourself.

Frequently asked questions

Are passkeys still safe after this attack?

Yes, for signing in. A passkey is a cryptographic key pair bound to the real site's domain, so a fake login page cannot capture anything reusable - that part is genuinely phishing-resistant. This campaign does not break the cryptography. It targets a different moment: the enrollment step, where a human is socially engineered into registering an attacker's passkey. The fix is not to distrust passkeys, but to be careful about when and how you enroll one.

How does the Entra passkey vishing attack work?

According to BleepingComputer, a threat actor calls Microsoft 365 users by phone (voice phishing, or vishing), posing as IT or security, and urges them to enroll a new Entra passkey. The victim is directed to a phishing kit that imitates Microsoft's real passkey enrollment, with an operator guiding them in real time. While the victim believes they are registering their own passkey, the attacker is registering a passkey they control - giving them persistent access to the account.

Can a passkey be phished?

Not at sign-in. Because a passkey's private key never leaves your device and is tied to the genuine domain, a fake login page has nothing to steal. What can be phished is the enrollment: through a vishing call and a look-alike registration page, you can be tricked into adding a credential that belongs to the attacker. So the honest phrase is that passkeys are phishing-resistant for login, not for a social-engineered enrollment.

How do I avoid the passkey enrollment scam?

Never enroll or approve a passkey because of an unexpected phone call. Legitimate IT teams do not call and walk you through registering a credential live. Only enroll a passkey from a session you started yourself, by typing the official address into your browser or opening the official app. If you get a call or message telling you to enroll a passkey now, verify it through a known internal channel first.

Why did this attack become possible now?

In May 2026 Microsoft gave administrators a feature to run passkey registration campaigns - legitimate prompts nudging users to enroll passkeys for stronger security. That is a good change, but it also means users now expect to be asked to enroll a passkey, which makes a fake request more believable. The attackers piggyback on that expectation, turning a real security improvement into a convenient pretext.