The story centers on a shift away from passwords toward passkeys to cut credential theft and phishing, highlighting that accounts protected only by usernames, passwords, or SMS codes remain highly vulnerable.

Check Point notes Microsoft was the top impersonated brand in phishing during Q1 2026, with attackers using credential theft and initial access tactics that affect both personal and enterprise users.

A newly observed phishing attack dupes users by embedding the Microsoft brand in a subdomain of an unrelated site, directing them to a non-functional login page after they enter their credentials.

If users encounter these pages, they should exit immediately, change passwords, and enable passkeys with non-SMS multi-factor authentication where available.

Microsoft is urging the transition away from passwords entirely in favor of passkeys to reduce the risk of account hijacking.

Beyond Microsoft, Check Point’s data shows Apple, Google, and Amazon are also major phishing targets, together making up about half of observed attacks in the recent quarter.