A classy new menace vector has emerged that might undermine some of the trusted authentication strategies in cybersecurity.
FIDO-based passkeys, lengthy thought-about the gold normal for phishing-resistant authentication, at the moment are dealing with a probably devastating assault method that forces customers to downgrade to much less safe authentication strategies.
The assault exploits a essential vulnerability in FIDO implementation throughout main platforms, notably Microsoft Entra ID, the place sure net browsers lack full passkey help.
This seemingly minor compatibility hole creates a possibility for cybercriminals to govern the authentication course of, forcing victims into utilizing conventional multi-factor authentication strategies which can be inclined to adversary-in-the-middle assaults.
Error proven when utilizing an ordinary phishlet for a person with FIDO authentication (Supply – Proofpoint)
Trendy phishing campaigns have advanced considerably with the rise of refined AiTM phishing kits like Evilginx, EvilProxy, and Tycoon, which have made session hijacking extra accessible to menace actors.
Record of sufferer’s periods in Evilginx (Supply – Proofpoint)
These platforms present intuitive interfaces that decrease technical obstacles, enabling attackers to execute complicated phishing operations with unprecedented ease.
Proofpoint researchers recognized this rising menace after discovering that normal phishlets usually fail when encountering FIDO-secured accounts, prompting attackers to develop specialised strategies.
The assault begins when victims obtain phishing messages containing malicious hyperlinks powered by a devoted FIDO downgrade phishlet.
Upon clicking, targets encounter what seems to be an authentication error, compelling them to pick out various sign-in strategies.
This misleading interface mirrors authentic Microsoft authentication pages, making a convincing phantasm of system malfunction.
Technical Implementation and Consumer Agent Spoofing
The core mechanism behind FIDO authentication downgrade assaults depends on refined person agent spoofing strategies.
Attackers configure their AiTM infrastructure to current itself as an unsupported browser surroundings, reminiscent of Safari on Home windows, which lacks FIDO2 compatibility with Microsoft Entra ID.
The attacker efficiently authenticates because the sufferer, utilizing the intercepted session cookie (Supply – Proofpoint)
When the authentication system detects this spoofed surroundings, it mechanically presents fallback choices.
The assault sequence demonstrates outstanding technical sophistication. As soon as victims authenticate via the downgraded technique, attackers intercept credentials and session tokens utilizing reverse proxy servers.
The stolen session cookies can then be imported straight into the attacker’s browser, enabling full account takeover with out requiring extra authentication challenges.
This method successfully bypasses even probably the most sturdy FIDO implementations by exploiting the human component slightly than technical vulnerabilities within the cryptographic protocols themselves.
Enhance your SOC and assist your workforce shield your corporation with free top-notch menace intelligence: Request TI Lookup Premium Trial.
