Hackers Using Dedicated Phishlet to Launch FIDO Authentication Downgrade Attacks

A sophisticated new threat vector has emerged that could undermine one of the most trusted authentication methods in cybersecurity.

FIDO-based passkeys, long considered the gold standard for phishing-resistant authentication, are now facing a potentially devastating attack technique that forces users to downgrade to less secure authentication methods.

The attack exploits a critical vulnerability in FIDO implementation across major platforms, particularly Microsoft Entra ID, where certain web browsers lack full passkey support.

This seemingly minor compatibility gap creates an opportunity for cybercriminals to manipulate the authentication process, forcing victims into using traditional multi-factor authentication methods that are susceptible to adversary-in-the-middle attacks.

Modern phishing campaigns have evolved significantly with the rise of sophisticated AiTM phishing kits like Evilginx, EvilProxy, and Tycoon, which have made session hijacking more accessible to threat actors.

These platforms provide intuitive interfaces that lower technical barriers, enabling attackers to execute complex phishing operations with unprecedented ease.

Proofpoint researchers identified this emerging threat after discovering that standard phishlets typically fail when encountering FIDO-secured accounts, prompting attackers to develop specialized techniques.

The attack begins when victims receive phishing messages containing malicious links powered by a dedicated FIDO downgrade phishlet.

Upon clicking, targets encounter what appears to be an authentication error, compelling them to select alternative sign-in methods.

This deceptive interface mirrors legitimate Microsoft authentication pages, creating a convincing illusion of system malfunction.

Technical Implementation and User Agent Spoofing

The core mechanism behind FIDO authentication downgrade attacks relies on sophisticated user agent spoofing techniques.

Attackers configure their AiTM infrastructure to present itself as an unsupported browser environment, such as Safari on Windows, which lacks FIDO2 compatibility with Microsoft Entra ID.

When the authentication system detects this spoofed environment, it automatically presents fallback options.

The attack sequence demonstrates remarkable technical sophistication. Once victims authenticate through the downgraded method, attackers intercept credentials and session tokens using reverse proxy servers.

The stolen session cookies can then be imported directly into the attacker’s browser, enabling complete account takeover without requiring additional authentication challenges.

This technique effectively bypasses even the most robust FIDO implementations by exploiting the human element rather than technical vulnerabilities in the cryptographic protocols themselves.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.