A threat actor is conducting a vishing campaign targeting Microsoft 365 users across multiple sectors, using voice calls that impersonate Microsoft security alerts. The attackers urge victims to enroll a new Entra passkey, claiming it's necessary for account protection.

The campaign exploits trust in Microsoft's identity management system, Entra ID (formerly Azure Active Directory). Successful enrollment gives the attacker the enrolled passkey, effectively handing over authentication credentials. This allows persistent access to the victim's Microsoft 365 account, bypassing standard password-based defenses.

Attackers use voice phishing (vishing) to socially engineer victims, often spoofing legitimate Microsoft support numbers. Victims are instructed to visit a URL or follow on-screen prompts during the call to complete the fake enrollment process. The indicators of compromise include unexpected authentication requests or new passkey registrations in Entra ID logs.

Microsoft has not released a specific patch, as this is a social engineering attack rather than a software vulnerability. Organizations are advised to enable multi-factor authentication (MFA) through more robust methods (e.g., authenticator app notifications), train users to verify unsolicited security calls, and monitor Entra ID sign-in logs for anomalous passkey enrollments.

Attribution for the campaign remains unclear, but the broad targeting of multiple industries suggests a financially motivated group. This attack highlights a growing trend of vishing targeting identity management systems, where human trust is the primary vulnerability.