RMON Networks Security Advisory
URGENT ALERT: New Voice Phishing (“Vishing”) Campaign Targeting Microsoft 365 Users July 2026 | Client Security Advisory What You Need to Know Cybercriminals are actively targeting organizations with a sophisticated voice phishing (“vishing”) campaign designed to compromise Microsoft 365 accounts. Attackers are calling employees directly, posing as IT support or security personnel, and convincing users… The post RMON Networks Security Advisory appeared first on RMON Networks.
URGENT ALERT: New Voice Phishing (“Vishing”) Campaign Targeting Microsoft 365 Users
July 2026 | Client Security Advisory
What You Need to Know
Cybercriminals are actively targeting organizations with a sophisticated voice phishing (“vishing”) campaign designed to compromise Microsoft 365 accounts. Attackers are calling employees directly, posing as IT support or security personnel, and convincing users to enroll what appears to be a legitimate Microsoft Entra passkey. In reality, they are registering an attacker-controlled credential that provides unauthorized access to the victim’s account. [securityweek.com], [bleepingcomputer.com], [thehackernews.com]
Organizations across multiple industries, including healthcare, technology, construction, aviation, automotive, and manufacturing, have been impacted. [securityweek.com], [bleepingcomputer.com]
How the Attack Works
Step 1: The Phone Call
An employee receives a call from someone claiming to be:
- Internal IT Support
- Microsoft Support
- Security Operations
- Help Desk Personnel
The caller states that a security update requires the employee to register a new passkey immediately. [securityweek.com], [bleepingcomputer.com]
Step 2: The Fake Website
The employee is directed to a convincing website that:
- Mimics Microsoft Entra ID
- Uses company branding
- Looks nearly identical to legitimate Microsoft sign-in pages
- Requests Microsoft 365 credentials and MFA approval [securityweek.com], [bleepingcomputer.com], [windowsreport.com]
Step 3: Account Compromise
While the employee believes they are improving account security, the attacker:
- Captures authentication information
- Guides the user through MFA approval
- Registers an attacker-controlled passkey
- Gains persistent access to the Microsoft 365 account [securityweek.com], [bleepingcomputer.com], [thehackernews.com]
Step 4: Data Theft
Attackers commonly target:
- SharePoint
- OneDrive
- Teams files
- Sensitive business documents
Several incidents have led to data theft and extortion attempts. [windowsreport.com], [cyberpress.org]
Warning Signs Your Team Should Know
🚩 Unexpected calls requesting password resets
🚩 Requests to approve MFA prompts you did not initiate
🚩 Instructions to register a new passkey over the phone
🚩 Urgent security requests requiring immediate action
🚩 Login pages reached from links provided during a phone call
🚩 Callers claiming “your account will be disabled” unless action is taken immediately
What Employees Should Do
STOP
Pause before taking any action on account-related requests received by phone.
VERIFY
Contact your IT provider or help desk using a trusted phone number you already have.
NEVER
- Share MFA codes
- Approve unexpected authentication prompts
- Register new authentication methods at a caller’s request
- Enter credentials on websites provided during unsolicited calls
Recommended Security Controls
Organizations should:
✅ Enable phishing-resistant authentication methods
✅ Monitor for newly registered MFA methods and passkeys
✅ Review Microsoft 365 sign-in activity regularly
✅ Monitor SharePoint and OneDrive for unusual download activity
✅ Conduct periodic security awareness training focused on social engineering and vishing attacks
✅ Require verification procedures for all account recovery and authentication changes
[cyberpress.org], [stateofsur…llance.org], [okta.com]
If You Suspect a Compromise
Immediately contact your IT support team if:
- You approved an unexpected MFA request
- You entered credentials after receiving a security-related phone call
- You registered a passkey or authentication method at someone’s direction
- You notice unusual account activity
Early detection can significantly reduce the impact of an account compromise.
Need Assistance?
RMON Networks Security Team
If you have questions about this threat, Microsoft 365 security, multifactor authentication, or incident response, contact RMON Networks immediately for assistance.
RMON Networks
Protecting Your Business Through Secure, Modern IT
The post RMON Networks Security Advisory appeared first on RMON Networks.
Share
What's Your Reaction?
Like
0
Dislike
0
Love
0
Funny
0
Angry
0
Sad
0
Wow
0
