A sophisticated phishing campaign dubbed PoisonSeed is circumventing FIDO2 multi-factor authentication by abusing WebAuthn's cross-device sign-in feature, tricking users into approving malicious logins via QR codes. Security firm Expel reveals this downgrade attack doesn't exploit FIDO2 flaws but manipulates legitimate functionality, highlighting evolving threats to phishing-resistant MFA. Organizations must reassess defenses as attackers innovate around hardware security keys.