PoisonSeed Phishing Campaign Bypasses FIDO2 Protections by Abusing Cross-Device Authentication

In a stark reminder that even the most robust security mechanisms can be subverted through user deception, a new phishing campaign—dubbed PoisonSeed—is successfully bypassing FIDO2 hardware security keys. As detailed in a recent report by Expel and covered by BleepingComputer, threat actors exploit the WebAuthn protocol's cross-device authentication feature to trick users into approving fraudulent login attempts. This attack doesn't crack cryptographic defenses but instead manipulates human behavior and system workflows, underscoring the cat-and-mouse game in cybersecurity.

How the Attack Unfolds: A Step-by-Step Downgrade

The PoisonSeed campaign, historically known for cryptocurrency theft via seed phrase phishing, now targets corporate credentials. Here’s how it undermines FIDO2 security:

  1. Phishing Lure: Users receive emails directing them to fake Okta or Microsoft 365 login portals.
  2. Credential Capture: When victims enter usernames and passwords, an adversary-in-the-middle (AiTM) backend instantly uses these on the legitimate service.
  3. Authentication Downgrade: Instead of triggering the user’s physical FIDO2 key, the attacker requests cross-device authentication via WebAuthn. This prompts the real portal to generate a QR code, sent back to the phishing page.
  4. User Deception: Victims scan the QR code with their smartphone or authenticator app, unknowingly approving the attacker’s session. As Expel notes, this bypasses FIDO2’s phishing-resistant design by shifting authentication to a less secure method.

"This attack does not exploit a flaw in the FIDO2 implementation but abuses a legitimate feature that downgrades the authentication process," Expel researchers emphasize. It’s a clever workaround that exploits the convenience of cross-device flows—designed for flexibility—against users.

Implications for Security Teams and Developers

The PoisonSeed tactic reveals critical vulnerabilities in MFA strategies:
- Feature Abuse Over Exploits: Attackers increasingly weaponize legitimate functionalities (like QR-based auth) rather than hunting for zero-days, making detection harder.
- Erosion of Phishing Resistance: FIDO2 keys are touted as phishing-proof, but social engineering can nullify their physical security if users approve malicious requests.
- Broader Threat Landscape: Expel also observed attackers registering their own FIDO keys post-account compromise, showing multiple paths to undermine MFA.

Mitigation Strategies: Beyond Basic Vigilance

Expel recommends proactive defenses to counter such attacks:
- Geofencing: Restrict logins to approved locations, with exemptions managed via a formal travel registration process.
- FIDO Key Auditing: Monitor for unfamiliar security keys registered from suspicious locations or brands.
- Enforce Bluetooth Authentication: Mandating Bluetooth for cross-device logins adds proximity requirements, reducing remote attack viability.

For developers, this underscores the need to implement contextual checks in auth flows—such as verifying device trust or requiring step-up authentication for unusual requests. Security leaders must balance usability with resilience, recognizing that user education alone is insufficient against sophisticated social engineering.

As MFA bypass techniques evolve, PoisonSeed exemplifies how threat actors innovate within the seams of trusted protocols. The real vulnerability isn’t in the code but in the gap between human intuition and system design—a gap attackers are all too eager to bridge.

Source: Expel research as reported by BleepingComputer.