Skip to main content
ThreatPhishing & impersonation

Fake passkey account recovery override phishing — claims a passkey was removed/revoked and the user must re-enroll via a credential-harvesting recovery URL, exploiting passkey transition confusion. FIDO Alliance Q1 2026; Proofpoint Feb 2026; Krebs Mar 2026.

fake-passkey-account-recovery-override-phish

What this tier means

High-confidence threat indicator — phishing, impersonation, BEC, or scam pattern. Strong contributor to the trash decision.

How Gorganizer detects this

Emails claiming the recipient's passkey was removed, revoked, or is no longer valid for their account (Apple ID, Google Account, Microsoft Account, GitHub, Coinbase), directing them to re-enroll or "recover" their account via a link that harvests credentials by falling back to password + SMS OTP. This is distinct from fido-passkey-downgrade-lure (which detects emails initiating the initial passkey enrollment downgrade). This signal targets the post-enrollment recovery override — the attacker pretends the existing passkey was invalidated and forces a recovery flow. The FIDO Alliance issued a specific Q1 2026 advisory documenting this attack pattern across member organizations; Proofpoint (February 2026) and Sublime Security (March 2026) confirmed active campaigns targeting Apple, Google, and Microsoft users.

False-positive guard

Every signal in Gorganizer feeds a multi-module score — never a sole verdict. This is a threat-tier signal — it adds a strong contribution to the trash score. The full pipeline still requires convergence across multiple modules + a margin over the safety floor before deletion happens, and Gmail's trash (30-day recovery) is always used — never permanent delete.

About the scoring engine

Gorganizer's scoring engine emits over 1,800 signals across six modules — headers, sender, subject, body, attachments, and structural metadata. Every email is scored by every module independently; the final verdict requires multiple modules to agree and the trash score to beat the safety floor by a margin.

Sacred safety guards — never delete starred emails, replies, calendar invites, receipts/invoices, or attachments — apply unconditionally regardless of any signal.

Browse all signalsSafety guaranteesJSON

Ready to clean your inbox?

Gorganizer scans your Gmail with this signal and 1,800+ others, then cleans everything in one click. $4.99 one-time, no subscription.

Get started