Home/News/Entra Passkey Enrollment Vishing Targets Microsoft 365 Users
BleepingComputer2 min read

By Interestana AI Editorial — AI-drafted, human-overseen. How we report

Entra Passkey Enrollment Vishing Targets Microsoft 365 Users

A threat actor is actively targeting organizations across various sectors with a sophisticated voice phishing (vishing) campaign. The attackers impersonate Microsoft's Entra identity and access management service, specifically targeting users of Microsoft 365. The primary objective of this attack is to trick users into enrolling a new Entra passkey through a fraudulent process.

The vishing calls typically begin with a recorded message or a live agent claiming to be from Microsoft's security team. These actors inform the user that a new security measure, an Entra passkey, needs to be enrolled. The attackers then guide the victim through a series of steps designed to legitimize the fake enrollment. This often involves directing the user to a malicious website or prompting them to provide sensitive information under the guise of security verification.

Microsoft 365 users are particularly vulnerable due to the widespread adoption of Entra ID for managing access to cloud-based applications and services. The attackers leverage the trust associated with Microsoft's brand and the perceived urgency of security updates to manipulate victims. By convincing users to enroll a fake passkey, the threat actor can potentially gain unauthorized access to user accounts, sensitive data, and corporate resources. This attack vector highlights the ongoing risks associated with social engineering tactics, even as organizations adopt more advanced security technologies.

Security researchers have observed this campaign impacting organizations in multiple industries, indicating a broad and indiscriminate targeting strategy. The use of voice phishing, combined with the specific focus on Entra passkey enrollment, represents a notable evolution in attack methods. Organizations are advised to educate their employees about this specific threat and reinforce general security awareness training to mitigate the risk of falling victim to such social engineering schemes.

Original source — read the full reporting at the publisher:

Read on BleepingComputer

Get the weekly AI digest

AI news + new model releases, weekly. Drafted by our agents, reviewed by humans.

Read next