Decoding the world of cybersecurity

Passkey vishing targets Entra users

Okta says vishing actors are using fake Microsoft Entra passkey enrolment flows, showing how attackers are adapting to passwordless authentication.

Passkey vishing targets Entra users
Summary
  • Okta observed a phishing kit designed to trick users into approving attacker-controlled Microsoft Entra passkey registration.
  • The campaign combines vishing, tenant-branded phishing pages, MFA handling, and passkey-themed deception.
  • The activity shows that passwordless rollouts need registration governance, user education, and account-change monitoring.

Okta has warned that vishing actors are targeting Microsoft Entra passkey enrolment, using a phishing kit designed to make users believe they are completing a legitimate passwordless authentication setup.

Okta Threat Intelligence said it observed a kit that closely mimics the Microsoft passkey enrolment process. The likely purpose is to take over a user account and trick the target into approving attacker-initiated passkey registration inside the real Microsoft account. The campaign uses per-target subdomains imitating Microsoft Entra ID login pages, with victim-organisation branding staged for each target.

The activity shows how attackers are adapting to passwordless authentication rather than retreating from it. Passkeys are intended to reduce phishing risk by replacing shared secrets with cryptographic credentials, but enrolment is still a human and administrative process. If an attacker can persuade a user to participate in a fake registration flow while the attacker controls the real account session, the security advantage can be undermined at the point where trust is established.

Okta’s technical analysis describes a flow in which the phishing kit presents Microsoft-style pages, collects credentials, adapts to MFA requirements, and keeps the user occupied with passkey-themed screens. The operator can adjust what the target sees in real time, including prompts for one-time passwords, authenticator approval, or number matching. Okta said the campaign appears to exploit limited user familiarity with how genuine passkey registration should work.

The deception is particularly dangerous because it does not rely solely on stealing a password. By combining voice contact with interactive phishing pages, the attacker can guide the target through an account-change process. Okta’s analysis says the passkey pages may serve as misdirection while the threat actor enrols their own passkey in the legitimate Microsoft account, potentially giving the attacker persistent access under a credential that looks like part of a modern authentication rollout.

Organisations moving towards passkeys should not slow adoption, because phishing-resistant authentication remains a major improvement over passwords and weaker MFA. The control focus needs to extend beyond sign-in and into enrolment, recovery, and account change. Attackers often target the points where credentials are created, reset, delegated, or recovered because those moments carry high trust and may be unfamiliar to users.

Registration governance should become part of any passwordless deployment. Organisations should monitor new passkey enrolments, unusual authenticator changes, unexpected MFA resets, and account changes during or shortly after helpdesk-style calls. High-risk users and administrators may need stricter device binding, phishing-resistant bootstrap processes, conditional access policies, and alerts when new credentials are added from unfamiliar sessions, locations, or devices.

IT support procedures also need to account for the campaign pattern. Employees receiving calls instructing them to enrol or reset authentication methods need an independent verification route that does not rely on the caller. Helpdesk teams should avoid ad hoc authentication changes without strong identity proofing, and security teams should review whether attackers can use branding, internal terminology, or real support workflows to make fraudulent calls credible.

Identity programmes often measure progress by the proportion of accounts moved away from passwords. The Entra passkey campaign shows that registration controls, lifecycle monitoring, and credential revocation are just as important as the authentication method itself. Passkeys improve the sign-in layer, while the account lifecycle remains a live target.

×