Proofpoint researchers have uncovered a novel technique allowing threat actors to bypass FIDO-based authentication through downgrade attacks, leveraging a custom phishlet within adversary-in-the-middle (AiTM) frameworks.
This method exploits gaps in browser compatibility and user agent handling, forcing victims to revert to less secure multi-factor authentication (MFA) mechanisms, thereby enabling credential theft and session hijacking.
While FIDO standards, promoted by the FIDO Alliance, are hailed as phishing-resistant by eliminating traditional passwords and incorporating hardware keys with biometrics or PINs, this downgrade vector demonstrates that even robust systems can be undermined by social engineering and protocol manipulation.
Phishing-Resistant Authentication
The attack hinges on the creation of a dedicated phishlet for tools like Evilginx, a popular AiTM framework.
In execution, attackers initiate the phishing chain by delivering a malicious link via email, SMS, or OAuth consent prompts, directing victims to a spoofed login page.
By spoofing an unsupported user agent such as mimicking Safari on Windows, which lacks FIDO2 compatibility with Microsoft Entra ID the phishlet triggers an authentication error.
This prompts the victim to select an alternative sign-in method, typically a fallback MFA like Microsoft Authenticator, where they enter verification codes.
Once authenticated, the AiTM proxy intercepts credentials, MFA tokens, and session cookies, allowing attackers to import these into their browsers for full account takeover (ATO).
Post-compromise activities can then include data exfiltration, lateral movement, or further network infiltration, amplifying the risks in enterprise environments.
Implications for Phishing Evolution
Although Proofpoint has not observed this FIDO downgrade technique in active campaigns, its feasibility underscores a growing sophistication in phishing kits, which have evolved from basic credential harvesters to advanced PhaaS platforms like EvilProxy and Tycoon.
Traditional phishlets fail against FIDO-secured accounts, often resulting in errors, but this customized approach exploits the common administrative practice of maintaining MFA backups for account recovery.
Researchers note that the technique builds on prior findings, such as vulnerabilities in Windows Hello for Business, but extends to broader Microsoft Entra ID implementations without being limited to specific setups.
The downgrade relies on missing security measures in handling unrecognized user agents, effectively tricking the system into bypassing phishing-resistant protocols.
The absence of real-world exploitation may stem from attackers’ preference for lower-effort targets, such as accounts with weak MFA or no secondary factors, which remain abundant and easier to compromise without advanced phishlet modifications.
However, as organizations increasingly adopt FIDO to counter rising AiTM threats evidenced by billions of daily phishing attempts sophisticated actors, including advanced persistent threats (APTs) and state-sponsored groups, could integrate this tactic into their kill chains.
This evolution highlights the need for enhanced defenses, including real-time user agent validation, stricter FIDO enforcement without fallbacks, and comprehensive security awareness training to recognize urgent authentication prompts.
Proofpoint emphasizes that while FIDO remains highly recommended against credential phishing and ATO, proactive monitoring and adaptive security postures are essential to mitigate these emerging downgrade risks in the dynamic threat landscape.
AWS Security Services: 10-Point Executive Checklist - Download for Free
Source link
