(520) 462-0516

info@threatintel-solutions.net

Threat Intel Solutions

Let’s Talk

Hackers Exploit FIDO MFA With Novel Phishing Technique

[Cybercrime](https://www.govinfosecurity.com/cybercrime-c-416) , [Fraud Management -& Cybercrime](https://www.govinfosecurity.com/fraud-management-cybercrime-c-409) , [Multi-factor -& Risk-based Authentication](https://www.govinfosecurity.com/multi-factor-risk-based-authentication-c-448)Hackers Exploit FIDO MFA With Novel Phishing Technique======================================================PoisonSeed Threat Actor Uses Cross-Device Login Feature and QR Code to Trick Users [Prajeet Nair](https://www.govinfosecurity.com/authors/prajeet-nair-i-3483) ([@prajeetspeaks](https://www.twitter.com/@prajeetspeaks)) • July 19, 2025 [](https://www.bankinfosecurity.com/hackers-exploit-fido-mfa-novel-phishing-technique-a-29016#disqus_thread) * * * * * [Credit Eligible](/premium/pricing ‘As a BankInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking.’)* [](/premium/pricing ‘As a BankInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking.’)* Get Permission* ![Hackers Exploit FIDO MFA With Novel Phishing Technique](https://130e178e8f8ba617604b-8aedd782b7d22cfe0d1146da69a52436.ssl.cf1.rackcdn.com/hackers-exploit-fido-mfa-novel-phishing-technique-image_large-7-a-29016.jpg) Expel researchers spotted a novel adversary-in-the-middle phishing technique that bypasses one of the most secure forms of multifactor authentication – FIDO2 physical keys. (Image: Shutterstock)Expel researchers have found a novel adversary-in-the-middle phishing technique used by PoisonSeed, a cybercrime group previously tied to large-scale cryptocurrency thefts, to sidestep one of the most secure forms of multifactor authentication – FIDO2 physical keys.**See Also:** [Top 10 Technical Predictions for 2025](https://www.govinfosecurity.com/top-10-technical-predictions-for-2025-a-27521?rf=RAM_SeeAlso)While the FIDO protocol itself remains uncompromised, Expel researchers in a [report](https://expel.com/blog/poisonseed-downgrading-fido-key-authentications-to-fetch-user-accounts/) said attackers have discovered a way to ‘downgrade’ FIDO protections by taking advantage of a legitimate cross-device sign-in feature that allows users to log in from a new system using a companion mobile device registered with their FIDO credentials. PoisonSeed’s phishing campaign exploits this process and uses QR codes that facilitate unauthorized access.> ‘The hardware and cryptography remain sound yet the convenience features around them can be turned against you.’ > — Jason Soroko, senior fellow, SectigoFIDO2 security keys – physical devices that enable passwordless authentication for online services – were designed to counter threats posed by phishing, SIM swapping and other weaknesses inherent in SMS or email-based MFA.But the PoisonSeed attack chain bypasses the FIDO key, beginning with a phishing email. Victims are directed to a fake login page impersonating the organization’s Okta portal. Once users enter their username and password, the phishing site sends those stolen credentials to the real authentication service and requests a cross-device sign-in, which triggers a QR code to be generated.That QR code is immediately displayed on the phishing site, deceiving the victim into scanning it with their mobile authenticator app, thinking it’s part of the usual sign-in process. Once scanned, the legitimate system links the mobile device with the attacker-controlled session, effectively handing over access to protected applications, documents and services.’This is a concerning development, given that FIDO keys are often regarded as one of the pinnacles of secure multifactor authentication,’ Expel’s security operations team said. ‘This attack demonstrates how a bad actor could run an end-route around an installed FIDO key.’Jason Soroko, senior fellow at Sectigo, said the phishing attack cleverly mirrored a QR code from the real authentication system back to victims, tricking them into scanning it and completing the FIDO challenge, all while their physical security key remained unused. This sleight-of-hand allowed the attacker to gain access without ever touching the actual key.’The hardware and cryptography remain sound yet the convenience features around them can be turned against you,’ Soroko said. ‘Defenders can mitigate this technique by disabling cross-device sign-in where possible, enforcing Bluetooth proximity checks, monitoring for unexpected key registrations and geographies and teaching staff to treat any QR prompt after a password entry as a probable trap.’Expel said the infrastructure behind the phishing page was hosted on newly registered domains through Cloudflare, adding an air of legitimacy that likely helped avoid user suspicion. In one observed incident, the attackers managed to not only initiate a valid session but also enroll their own FIDO key to persist access, without needing to trick users again.> ‘Even the best defenses can be skirted with enough social engineering and creativity.’ > — Expel researchersThough the incident was quickly contained, the implications are far-reaching. ‘No vulnerability in FIDO was exploited directly,’ Expel said. ‘But the combination of phishing, QR codes and legitimate sign-in workflows created a path of least resistance.’Security teams are advised to monitor authentication logs for unexpected cross-device sign-in activity, unfamiliar FIDO key registrations, or anomalous geographic locations. Expel also recommends enabling Bluetooth verification during cross-device sign-ins, ensuring that users must be physically near the system during login.’Attackers are relentless in targeting identity and session management,’ Expel said. ‘This tactic proves that even the best defenses can be skirted with enough social engineering and creativity.’Despite these developments, Expel said FIDO keys are still a strong form of authentication, as long as organizations audit usage regularly and understand potential blind spots as attackers continue to hone their techniques. ![Prajeet Nair](https://6d63d49ccb7c52435540-5070aa97eaa2b8df4eb5a91600e69901.ssl.cf1.rackcdn.com/prajeet-nair-largeImage-5-a-3483.jpg) #### [Prajeet Nair](https://www.govinfosecurity.com/authors/prajeet-nair-i-3483)*Senior Associate Editor – APAC, ISMG* Nair is a seasoned cybersecurity journalist with over a decade of experience covering cybersecurity and OT developments in the US and the Asia-Pacific region. As an editor, he has interviewed key decision-makers, including CISOs, CIOs, regulators and law enforcement leaders. Before joining ISMG, Nair held editorial roles at The New Indian Express, TechCircle, IDG and the Times Group. He is currently based in Bengaluru, India.[](https://twitter.com/@prajeetspeaks) [](mailto:pnair@ismg.io) ![New Attacks. Skyrocketing Costs. The True Cost of a Security Breach.](https://dbac8a2e962120c65098-4d6abce208e5e17c2085b466b98c2083.ssl.cf1.rackcdn.com/new-attacks-skyrocketing-costs-true-cost-security-breach-pdf-3-w-14784.jpg) [whitepaper](https://www.govinfosecurity.com/whitepapers/new-attacks-skyrocketing-costs-true-cost-security-breach-w-14784?rf=RAM_Resources)##### [New Attacks. Skyrocketing Costs. The True Cost of a Security Breach.](https://www.govinfosecurity.com/whitepapers/new-attacks-skyrocketing-costs-true-cost-security-breach-w-14784?rf=RAM_Resources)![Top Three Cyber Predictions for 2025](https://dbac8a2e962120c65098-4d6abce208e5e17c2085b466b98c2083.ssl.cf1.rackcdn.com/top-three-cyber-predictions-for-2025-pdf-10-w-14785.jpg) [whitepaper](https://www.govinfosecurity.com/whitepapers/top-three-cyber-predictions-for-2025-w-14785?rf=RAM_Resources)##### [Top Three Cyber Predictions for 2025](https://www.govinfosecurity.com/whitepapers/top-three-cyber-predictions-for-2025-w-14785?rf=RAM_Resources)![OnDemand | North Korea’s Secret IT Army and How to Combat It](https://75d03c5f1bfbbbb9cc13-369a671ebb934b49b239e372822005c5.ssl.cf1.rackcdn.com/live-webinar-north-koreas-secret-army-how-to-combat-it-landing_page_image-10-w-6054.jpg) ##### [OnDemand -| North Korea’s Secret IT Army and How to Combat It](https://www.govinfosecurity.com/webinars/ondemand-north-koreas-secret-army-how-to-combat-it-w-6054?rf=RAM_Resources)![Mitigating Identity Risks, Lateral Movement and Privilege Escalation](https://dbac8a2e962120c65098-4d6abce208e5e17c2085b466b98c2083.ssl.cf1.rackcdn.com/mitigating-identity-risks-lateral-movement-privilege-escalation-pdf-6-w-14215.jpg) [whitepaper](https://www.govinfosecurity.com/whitepapers/mitigating-identity-risks-lateral-movement-privilege-escalation-w-14215?rf=RAM_Resources)##### [Mitigating Identity Risks, Lateral Movement and Privilege Escalation](https://www.govinfosecurity.com/whitepapers/mitigating-identity-risks-lateral-movement-privilege-escalation-w-14215?rf=RAM_Resources)![OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk](https://75d03c5f1bfbbbb9cc13-369a671ebb934b49b239e372822005c5.ssl.cf1.rackcdn.com/webinar-2024-phishing-insights-what-119-million-user-behaviors-reveal-about-your-risk-landing_page_image-10-w-5782.jpg) ##### [OnDemand -| 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk](https://www.govinfosecurity.com/webinars/ondemand-2024-phishing-insights-what-119-million-user-behaviors-reveal-w-5782?rf=RAM_Resources)![](https://130e178e8f8ba617604b-8aedd782b7d22cfe0d1146da69a52436.ssl.cf1.rackcdn.com/hackers-exploit-fido-mfa-novel-phishing-technique-image_large-7-a-29016.jpg) [Cybercrime](https://www.govinfosecurity.com/cybercrime-c-416)##### [Hackers Exploit FIDO MFA With Novel Phishing Technique](https://www.govinfosecurity.com/hackers-exploit-fido-mfa-novel-phishing-technique-a-29016)![](https://130e178e8f8ba617604b-8aedd782b7d22cfe0d1146da69a52436.ssl.cf1.rackcdn.com/uk-creative-community-big-tech-resume-ai-copyright-talks-showcase_image-5-a-29015.jpg) [Artificial Intelligence -& Machine Learning](https://www.govinfosecurity.com/artificial-intelligence-machine-learning-c-469)##### [UK Creative Community, Big Tech Resume AI Copyright Talks](https://www.govinfosecurity.com/uk-creative-community-big-tech-resume-ai-copyright-talks-a-29015)![](https://130e178e8f8ba617604b-8aedd782b7d22cfe0d1146da69a52436.ssl.cf1.rackcdn.com/botnet-abuses-github-repositories-to-spread-malware-showcase_image-3-a-29014.jpg) [Application Security](https://www.govinfosecurity.com/application-security-c-482)##### [Botnet Abuses GitHub Repositories to Spread Malware](https://www.govinfosecurity.com/botnet-abuses-github-repositories-to-spread-malware-a-29014)![](https://130e178e8f8ba617604b-8aedd782b7d22cfe0d1146da69a52436.ssl.cf1.rackcdn.com/cybersecurity-ai-oversight-becomes-flashpoint-in-draft-ndaa-showcase_image-9-a-29012.jpg) [Artificial Intelligence -& Machine Learning](https://www.govinfosecurity.com/artificial-intelligence-machine-learning-c-469)##### [Security, AI Oversight Are Flashpoints in Draft Defense Bill](https://www.govinfosecurity.com/security-ai-oversight-are-flashpoints-in-draft-defense-bill-a-29012)![](https://130e178e8f8ba617604b-8aedd782b7d22cfe0d1146da69a52436.ssl.cf1.rackcdn.com/texas-drug-alcohol-testing-firm-hack-affects-nearly-750000-image_large-4-a-29013.jpg) [Data Breach Notification](https://www.govinfosecurity.com/data-breach-notification-c-327)##### [Texas Drug, Alcohol Testing Firm Hack Affects Nearly 750,000](https://www.govinfosecurity.com/texas-drug-alcohol-testing-firm-hack-affects-nearly-750000-a-29013)[Overview](https://www.govinfosecurity.com/webinars/risk-management-framework-learn-from-nist-w-255) * Twitter* Facebook* LinkedIn* * * From heightened risks to increased regulations, senior leaders at all levels are pressured to improve their organizations’ risk management capabilities. But no one is showing them how – until now.Learn the fundamentals of developing a risk management program from the man who wrote the book on the topic: Ron Ross, computer scientist for the National Institute of Standards and Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37 – the bible of risk assessment and management – will share his unique insights on how to:* Understand the current cyber threats to all public and private sector organizations;* Develop a multi-tiered risk management approach built upon governance, processes and information systems;* Implement NIST’s risk management framework, from defining risks to selecting, implementing and monitoring information security controls.Presented By————![Ron Ross](https://6d63d49ccb7c52435540-5070aa97eaa2b8df4eb5a91600e69901.ssl.cf1.rackcdn.com/ron-ross-smallImage-a-558.jpg) [Presented By](/authors/ron-ross-i-558)—————————————#### [Ron Ross](/authors/ron-ross-i-558)*Sr. Computer Scientist -& Information Security Researcher, National Institute of Standards and Technology (NIST)*

Related Tags:
NAICS: 54 – Professional

Scientific

Technical Services

NAICS: 541 – Professional

Scientific

Technical Services

NAICS: 52 – Finance And Insurance

NAICS: 518 – Computing Infrastructure Providers

Data Processing

Web Hosting

Related Services

NAICS: 522 – Credit Intermediation And Related Activities

NAICS: 51 – Information

Blog: GovInfoSecurity

Acquire Infrastructure: Domains

Acquire Infrastructure

Associated Indicators:
null

Search

Popular Posts

Categories

Pages

Archives

Tags

Follow Us