Your IT provider will never call you and ask you to set up a new security key over the phone. If that call ever comes, hang up. A scam making the rounds right now is counting on you not knowing that.
What's Happening
Attackers are calling employees at Microsoft 365 businesses, posing as IT or security support. The pitch: it's time to set up a new "passkey" — a modern, more secure way to sign in — and they'll walk you through it right now.
The call sends you to a fake page built to look exactly like Microsoft's real sign-in screen. Here's the trick: everything you type gets typed into the real Microsoft site at the same time, by the attacker, in real time. Whatever security check Microsoft sends back — a text code, a push notification — the attacker copies onto the fake page so you never notice anything is wrong.
Then comes the real damage. You're walked through writing down a "recovery phrase," which feels like the important security step. While you're distracted doing that, the attacker is quietly registering their own passkey on your account in the background — a permanent way back in that survives a password reset.
Why It Matters for Your Business
This isn't a mass spam blast. Someone is on the phone, running the scam live, which means it's targeted — aimed at businesses worth the effort. And it works precisely because passkeys are new to most people. Nobody's used to what the real setup process looks like, which makes an urgent phone call the perfect cover.
If an employee falls for it, the attacker doesn't just get access once — they get a standing way into that account that a password reset won't fix, because they've planted their own sign-in method. From there: stolen data, access to shared files and email, and for regulated businesses, a compliance headache on top of the security one.
How Blackbird Clients Are Already Covered
For our managed clients, this isn't a special add-on — it's default:
- Rules on who can register a new sign-in method, and from where, so an attacker can't just add one from anywhere.
- Alerts on new device and passkey registrations, so something unexpected gets flagged fast instead of sitting unnoticed.
- Training that specifically covers phone-based scams like this one — because the tech only helps if your team also knows a surprise call about their Microsoft account is a red flag.
What to Do Right Now
- Tell your team today: Microsoft support will never call and ask you to set up a passkey. Hang up, and verify through your IT provider directly.
- Never set up a new sign-in method from a link in a call, text, or email. That only happens inside Microsoft's own apps.
- Check who can add new sign-in methods on your account. If the answer is "anyone, from anywhere," that needs to change.
This kind of scam is only going to spread further. If you want a straight answer on whether your Microsoft 365 setup would actually catch this — not just look compliant on paper — start with a Blackbird M365 assessment. Ten minutes, real findings, no guesswork.