Cybersecurity researchers at Expel have uncovered a sophisticated new attack technique that allows threat actors to circumvent the robust security protections typically provided by FIDO keys.
The attack, attributed to the PoisonSeed group known for large-scale cryptocurrency phishing campaigns, represents a concerning evolution in identity-based attacks that exploit legitimate cross-device sign-in functionality to gain unauthorized account access.
Novel Phishing Technique Targets FIDO Key Users
The attack begins with a traditional phishing email that directs victims to fraudulent login pages mimicking legitimate authentication portals.
However, what distinguishes this technique is how attackers handle users protected by FIDO keys.
When a target enters their credentials on the fake site, the attackers automatically submit these credentials to the legitimate login portal along with a request for cross-device sign-in functionality.
The cross-device sign-in feature, designed to help users authenticate on devices without registered passkeys by using additional devices like mobile phones, becomes the attack vector.
The legitimate portal generates a QR code for cross-device authentication, which the phishing site immediately captures and displays to the victim.
When the user scans this QR code with their MFA authenticator app, they unknowingly complete the authentication process for the attackers, granting them full account access.
This adversary-in-the-middle (AitM) attack effectively neutralizes the security advantages that FIDO keys typically provide, demonstrating how legitimate security features can be weaponized against users through social engineering tactics.
Growing Threat to Identity-Based Security
The emergence of this technique coincides with a significant increase in identity-based attacks across the cybersecurity landscape.
According to Expel’s Q1 2025 threat report, identity-based attacks now account for 66.2% of all security incidents, highlighting the urgent need for enhanced authentication monitoring and controls.
Security teams are advised to implement several protective measures, including geographic restrictions on login locations, monitoring for unusual FIDO key registrations, and enabling Bluetooth communication requirements for cross-device sign-in processes.
Organizations should also audit authentication logs for suspicious cross-device sign-in requests originating from unexpected locations or involving unrecognized key brands.
Enhanced Monitoring Strategies Required
While FIDO keys remain a valuable security investment, this attack underscores the need for comprehensive authentication monitoring strategies.
Security teams should look for telltale signs such as multiple FIDO key registrations in quick succession, unfamiliar key brands, and cross-device sign-in requests from unusual geographic locations.
The PoisonSeed attack represents the latest escalation in the ongoing battle between cybercriminals and security professionals, demonstrating that even advanced authentication technologies require careful implementation and monitoring to maintain their effectiveness against evolving social engineering techniques.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates
%20(1).webp?resize=1600,900&ssl=1&description=PoisonSeed+Attack+Exploits+QR+Codes+to+Bypass+MFA+Authentication){kind=link}