Network Integration Specialists, Inc. Blog
How to Spot and Stop Microsoft 365 Passkey Vishing Scams
Cybercriminals are using new tricks to target Microsoft 365 users, posing as internal IT staff and calling employees to walk them through a fake passkey enrollment process. This vishing (voice-phishing) campaign is designed to trick staff into giving attackers access to business accounts, leading to data theft and extortion. Here’s what you need to know and the practical steps you can take to protect your organization.
Why This Matters to Small Businesses
Small businesses and nonprofits often rely on Microsoft 365 for email, file storage, and collaboration. When attackers gain access to these accounts, they can steal sensitive data, disrupt operations, and demand payment to return your files. Because this scam uses phone calls and impersonates trusted IT staff, it can bypass many technical security controls and catch even cautious employees off guard.
How the Scam Works
In this campaign, attackers call employees and claim to be from the company’s IT department. They say they are helping with a new security upgrade or passkey enrollment for Microsoft 365. The caller then directs the employee to a website that looks like a Microsoft passkey setup page. While the employee follows instructions, the attacker registers their own passkey on the real Microsoft 365 account. This gives the attacker ongoing access, even if the password is changed later. Once inside, the attacker may steal files or threaten to leak sensitive information unless a ransom is paid.
It’s important to note that this scam does not exploit a weakness in passkeys or multi-factor authentication (MFA) itself. Instead, it relies on social engineering—tricking people into helping the attacker. The scam is especially effective because many organizations are currently rolling out legitimate passkey enrollment, making the request sound plausible.
How to Protect Your Team
- Verify unexpected IT requests: If you receive a call about enrolling a new passkey or any security change, pause and verify. Use a known company contact method—such as your official IT help desk number or internal chat—not the number the caller provides.
- Remember the rule: Real IT staff will not call out of the blue and walk you through a passkey setup. If you’re unsure, hang up and reach out through your usual IT support channel.
- Look for signs of urgency or secrecy: Attackers often pressure you to act quickly or keep the call confidential. This is a red flag.
- Share this guidance with your team: A quick reminder can help everyone recognize and avoid these scams.
- Report suspicious activity: If you think you’ve interacted with a scammer, let your IT support know right away so they can help secure your account.
How NIS Helps Manage the Risk
NIS helps small businesses and nonprofits stay ahead of emerging threats by monitoring security news, updating best practices, and providing staff awareness training. We support secure Microsoft 365 configurations and guide clients through safe adoption of new technologies like passkeys and multi-factor authentication. If your team needs help understanding or responding to new scam tactics, NIS is here to provide clear, practical advice and support.
Staying alert to social engineering is just as important as technical security. Remind your team: always verify IT requests through a trusted channel. It’s a simple habit that stops most scams before they start.
Comments
