PoisonSeed Attack Tricks Users into Scanning Malicious MFA QR Codes

A sophisticated new cyber attack technique has emerged that exploits the cross-device sign-in features of FIDO keys, effectively bypassing one of the most secure forms of multifactor authentication (MFA) available today.

Security researchers have identified this adversary-in-the-middle (AitM) attack, attributed to the PoisonSeed threat group, which demonstrates how attackers can circumvent hardware-based authentication protections through social engineering tactics.

Attack Vector and Initial Compromise

The attack begins with a conventional phishing campaign targeting corporate employees through fraudulent emails.

Victims are directed to sophisticated spoofed login pages that closely mimic legitimate authentication portals, complete with organizational branding and familiar user interface elements.

In documented cases, attackers have registered malicious domains such as okta[.]login-request[.]com, often created just days before the attack to evade detection systems.

These fake authentication pages leverage reputable content delivery networks like Cloudflare to enhance their perceived legitimacy and reduce suspicion among potential victims.

The use of trusted infrastructure services represents a common tactic to bypass security filters and establish credibility with unsuspecting users.

Cross-Device Authentication Exploitation

The technical sophistication of this attack lies in its abuse of legitimate FIDO key cross-device sign-in functionality.

When users with FIDO-protected accounts enter their credentials on the phishing site, the malicious infrastructure automatically relays these stolen credentials to the genuine authentication portal while simultaneously requesting cross-device sign-in capabilities.

This process triggers the legitimate authentication system to generate a QR code for alternative device verification.

The phishing infrastructure captures this authentic QR code and presents it to the victim through the fake login interface.

When users scan the QR code with their mobile MFA authenticator apps, they inadvertently complete the authentication process for the attackers, granting unauthorized access to protected accounts.

PoisonSeed, the threat group behind these attacks, has established a reputation for conducting large-scale phishing campaigns primarily focused on cryptocurrency theft from digital wallets.

However, the techniques demonstrated in these FIDO key bypass attacks show potential for broader application across various target sectors and attack objectives.

The emergence of such attacks represents a significant escalation in the ongoing arms race between cybercriminals and cybersecurity professionals, highlighting how even premium authentication technologies can be circumvented through creative social engineering approaches.

Security teams can implement several protective measures to mitigate these attacks.

Geographic restrictions on login attempts, mandatory Bluetooth proximity verification for cross-device authentication, and comprehensive audit logging of FIDO key registrations provide additional security layers.

Organizations should monitor for suspicious authentication patterns, including multiple rapid key registrations and cross-device sign-in requests from unexpected locations.

While FIDO keys remain among the most secure authentication methods available, this attack underscores the critical importance of user education and comprehensive security awareness training programs.

Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now