Beware of fake Entra passkey vishing attacks on M365 users

·
Listen to this article~4 min

A threat actor is targeting Microsoft 365 users with fake voice calls asking them to enroll a new Entra passkey. Learn how to spot and stop these vishing attacks before they compromise your data.

A new wave of voice-based phishing attacks—known as vishing—is sweeping across organizations, and it's specifically targeting Microsoft 365 users. Scammers are pretending to be IT support and asking employees to enroll a new Entra passkey. If you get a call like this, hang up. It's a trap. Here's how it works: The attacker calls, often spoofing a legitimate company number, and says there's a security issue with your Microsoft 365 account. They'll claim you need to enroll a new passkey in Entra—Microsoft's identity and access management system—to protect your data. But the link they send or the steps they guide you through actually install malware or steal your credentials. ### Why this attack is so dangerous This isn't just another spam call. The attackers are well-prepared. They research their targets, know the right terminology, and sound convincing. They might even reference recent security updates from Microsoft to build trust. Once you're on the hook, they can gain access to your email, files, and even your company's entire network. - **Voice spoofing**: They can make the caller ID look like it's from your own IT department. - **Urgency tactics**: They'll say you need to act immediately or your account will be locked. - **Realistic scripts**: They use technical jargon like "Entra passkey enrollment" to sound legit. ### How to protect yourself and your team First, remember that legitimate IT support will never ask you to enroll a passkey over the phone. If you get a suspicious call, don't follow any instructions. Instead, hang up and contact your IT department directly using a number you know is real. > "The best defense against vishing is skepticism. If it feels off, it probably is." Second, educate your employees. Run a quick training session on spotting vishing attempts. Show them examples of what these calls sound like. The more they know, the less likely they'll fall for it. Finally, use antidetect browsers to add an extra layer of security. These browsers mask your digital fingerprint, making it harder for attackers to track your online behavior or target you with personalized scams. They're a smart tool for anyone who works with sensitive data. ### What to do if you've already been targeted If you think someone in your organization has fallen for this, act fast. Disable the compromised account immediately. Change all passwords and revoke any new passkeys that were enrolled. Run a full security scan on the affected device. And report the incident to your cybersecurity team or a trusted IT professional. Remember, vishing attacks are becoming more sophisticated every day. Staying informed and cautious is your best bet. Don't let a smooth-talking scammer trick you into compromising your data. This post is a friendly reminder to always verify before you trust. Stay safe out there.