Re: Passkeys
Every single phishing email that has been reported to our helpdesk in the last year is able to intercept Microsoft's Authenticator app MFA, no matter the configuration.
There are 2 options for phishing protection with o365:
1. Make passkeys mandatory. Not possible if you have users on apple devices, because Microsoft applications on Mac/iOS use the wrong type of webview for the authentication popup so do not support passkeys.
2. Require all devices to be enrolled in to Azure and restrict logins to enrolled devices. This means either a company owned device or for BYOD you install the company portal app and give it control of your device, which only 1 organisation can do. Oh and you need to buy a more expensive license for every user to use this "feature".
One of our clients has a lot of contractors. The only thing you can do is tell them to look at the address bar before entering their MFA code, how well do you think that works?
We have a technique for reducing risk. Geo-restrictions. It only works because the phishers haven't bothered working around it. If anyone wants to travel they must contact the helpdesk so we can whitelist the destination country.
When we rolled this out to our biggest client it lasted about a week before we were told to remove it. A short while later the person in charge got a phone call from the finance director asking about this hush hush don't tell anyone just transfer the money request they had just sent them... When we told them it was sent by someone who had been logged in to their account for about 2 weeks, the geo-restrictions got reinstated.