Full Report
A PoisonSeed phishing campaign is bypassing FIDO2 security key protections by abusing the cross-device sign-in feature in WebAuthn to trick users into approving login authentication requests from fake company portals. [...]
Analysis Summary
# Threat Actor: Unspecified Threat Actors utilizing PoisonSeed Phishing
## Attribution & Identity
Attribution is not explicitly provided in the source material, only referencing threat actors generally. No known specific aliases or associated groups are named, though tactics target Microsoft 365 environments.
## Activity Summary
Threat actors are actively using the **PoisonSeed phishing attack** technique to downgrade or bypass FIDO2 Multi-Factor Authentication (MFA) protections during login flows.
In one observed method, actors manipulate legitimate cross-device authentication workflows to proceed without requiring the user's physical FIDO2 security key. In a separate incident, an actor compromised an account (believed via phishing), reset the password, and successfully registered their own FIDO key without needing to trick the user interactively (e.g., via QR code exchange).
## Tactics, Techniques & Procedures
- **Phishing:** Used to initiate account compromise, potentially leading to password reset or session hijacking.
- **MFA Downgrade/Bypass (FIDO2 Abuse):** Abusing legitimate cross-device authentication features to circumvent the requirement for a physical FIDO key interaction.
- **Credential Abuse:** Registering their own security key after gaining initial access (via password reset).
- MITRE ATT&CK IDs are not explicitly mentioned in the provided context.
## Targeting
- **Sectors:** Not specified, but targeting users protected by FIDO2 MFA, suggesting organizations with high-security requirements (e.g., finance, tech, government contractors).
- **Geography:** Not specified.
- **Victims:** Organizations using FIDO2 security keys for authentication, specifically focusing on bypassing these protections.
## Tools & Infrastructure
- **Malware Families Used:** None specified in the context of the FIDO2 downgrade technique. The technique itself is delivery/session-based.
- **Infrastructure (C2, domains, IPs):** Not detailed in this summary of the phishing technique itself.
## Implications
This activity demonstrates that threat actors are sophisticated in finding ways to circumvent "phishing-resistant" MFA by exploiting legitimate design features, specifically in FIDO2 cross-device authentication. The success of these baseline phishing attacks suggests vulnerabilities exist in the implementation or configuration of these advanced controls.
## Mitigations
- Limit geographic locations from which users are allowed to log in, and establish a registration process for traveling individuals.
- Routinely check for the registration of unknown FIDO keys originating from unknown locations or uncommon security key brands.
- Organizations should consider enforcing **Bluetooth-based authentication** as a hard requirement for cross-device authentication to significantly reduce the effectiveness of remote phishing attacks.