In May, Microsoft gave administrators a new tool: the ability to run “passkey enrollment campaigns” that nudge staff to set up passkeys, a more secure way to sign in that replaces the password with a device you already own. Good feature. Passkeys are genuinely harder to phish than passwords. But attackers read the release notes too, and they’ve already turned it into a scam. Since April, a criminal group has been calling Microsoft 365 users, pretending to be IT, and walking them through a fake version of that exact enrollment process (Bleeping Computer).
Here’s what’s happening and what it means if your office runs on Microsoft 365.
What the attack actually looks like
Someone at your company gets a phone call. The caller says they’re from IT or Microsoft, and that everyone needs to enroll a new passkey “for security reasons.” Sounds legit. Passkeys are a real thing Microsoft is pushing right now, so the request lines up with things people have actually been hearing.
The caller sends the employee to a website. The domain has the word “passkey” in it, and the page shows your company’s own logo and branding. It looks like the real Microsoft passkey portal. The employee follows the steps, enters their sign-in, approves the MFA prompt, and thinks they’ve just made their account safer.
They didn’t. Behind the scenes, the attacker is registering a passkey they control on the account. Security firm Okta, which tracked the campaign, found the criminals run a live control panel that adapts to whatever MFA method the victim uses, whether it’s a code from an app, a push notification, or a text. The operator is guiding the whole thing in real time, relaying whatever the victim types straight into the real Microsoft login. To make the fake process feel elaborate and official, the site even asks victims to save a “recovery phrase,” something legitimate Microsoft passkey enrollment never does.
The group behind this is an extortion crew Okta tracks as Pink. They’ve hit food and beverage, healthcare, construction, automotive, tech, and aviation companies. Notice a pattern? These aren’t Fortune 500 targets. These are ordinary businesses with ordinary IT setups.
Why your MFA doesn’t save you here
This is the part that stings. You did the right thing. You turned on multi-factor authentication. And it still doesn’t stop this attack, because the victim approves the MFA prompt themselves. The attacker doesn’t break MFA. They get you to complete it for them.
That’s the theme running through most Microsoft 365 attacks right now. The password isn’t the weak point anymore, the person is, and the attacks are built around normal-looking workflows. Huntress spent three months studying how these accounts actually get taken over and found identity attacks made up 79% of the serious incidents they responded to last year. In one demonstration, a researcher took a plain user account with zero admin rights and made himself a global admin in five and a half minutes, using nothing but gaps that were already sitting open (Huntress).
What to do this week
This one has a clear fix list. Hand this to whoever runs your IT.
-
Tell your staff the rule now, before the call comes. Microsoft and your IT department will never phone you and walk you through a security setup on a website they send you mid-call. If someone calls asking you to enroll a passkey, register MFA, or “verify your account,” hang up and call your IT contact directly. This one sentence stops the whole attack.
-
Lock down who can register authentication methods. In Microsoft Entra, you can control and monitor how and when users add new sign-in methods like passkeys. If a passkey gets enrolled from an odd location or at an odd time, someone should see it. Most small businesses have never touched these settings.
-
Turn on Conditional Access so logins from unexpected places get blocked or challenged. If your business operates in one state, a sign-in from another country shouldn’t just sail through.
-
Review your admin accounts. Huntress found 55% of the tenants they checked let regular users do admin-level things, and 59% had admin accounts with too few restrictions. Fewer admins, tighter rules, separate accounts for admin work.
-
Watch for new passkey and app registrations. A passkey you didn’t create, or an “enterprise application” you don’t recognize with broad permissions, is a red flag. This is exactly the kind of thing that should trigger an alert, not get discovered three weeks later.
The frustrating truth from that Huntress study is that most businesses already know these controls matter. They just don’t turn them on, usually out of fear of locking someone out or flooding the helpdesk. That fear is understandable, and it’s also exactly what the attackers are counting on. Rolling these changes out carefully, so nobody gets locked out and the phones stay quiet, is the whole job. It’s what we do when we harden a client’s Microsoft 365, and it’s what catching a rogue passkey before it’s used looks like in practice (the monitoring we run).
If you’re on Microsoft 365 and you’re not sure whether these settings are on or who your admins even are, that’s worth an honest look. Book a free 15-minute consult and we’ll tell you where you stand.