SOC · 6 MIN READ · BEN NAHORNEY AND BRANDON OVERSTREET · JUL 17, 2025
TL;DR
- Bad actors have figured out how to bypass FIDO keys when compromising accounts
- This technique is being leveraged in phishing attacks
- The attack involves tricking a user into scanning a QR code with an MFA authenticator
Our SOC has recently spotted a novel attack technique that involves socially engineering a target to get around the security protections provided by FIDO keys. The attacker does this by taking advantage of cross-device sign-in features available with FIDO keys. These features are designed to help users sign into their accounts on systems without a passkey by using an additional registered device, like a mobile phone. However, the bad actors in this case are using this feature in adversary-in-the-middle (AitM) attacks.
This is a concerning development, given that FIDO keys are often regarded as one of the pinnacles of secure multifactor authentication (MFA). And while we haven’t uncovered a vulnerability in FIDO keys, IT and SecOps folks will want to sit up and take notice—this attack demonstrates how a bad actor could run an end-route around an installed FIDO key.
We have reason to believe that this attack was carried out by PoisonSeed, an attack group known for large-scale phishing campaigns designed to steal cryptocurrency from their target’s wallets. However, the technique described here could easily be leveraged in other attacks.
The state of MFA
But before diving into the details of the attack, let’s talk about the state of MFA as a security tool and attackers’ current focus on compromising identities.
Fast IDentity Online (FIDO) keys are one of several hardware-based MFA tools designed to protect users from inherent weaknesses in some forms of MFA. Take email or SMS for example—if an attacker gains access to either of these sources, they can bypass the protections it provides as an authentication source.
In contrast, MFA sources like biometrics, FIDO keys, and authenticator apps provide a single source of truth because:
- Biometrics are unique to the individual
- FIDO keys are physical pieces of hardware containing cryptographic keys
- In most cases, only one authenticator app is allowed per account
These MFA devices can’t easily be duplicated and thus inherently provide a step up in security compared to other forms of MFA.
In our present threat landscape, identity-based attacks are clearly having a moment. As we discussed in our Expel Quarterly Threat Report for Q1 2025, identity-based attacks accounted for two-thirds (66.2%) of the incidents our SOC identified.
With this level of identity-based activity, clearly attackers are finding that targeting user accounts works. And as defenders shore up their defenses, attackers have been pressed to find new and novel ways to get around them.
It started like any other phish
This is where an Expel customer found themselves recently. The attack started with a phishing email sent to several employees at the company. The email attempted to lure these users to log into a fake sign-in page hosted at okta[.]login-request[.]com.
This page mimicked the general look and feel of the company’s normal authentication process, including an Okta logo and sign-in fields for username and password. However, not only is the domain hosting this fake login page suspicious, the domain itself had only been created a week before the attack.
Both this domain, and the aws-us3-manageprod[.]com domain the user is redirected to if they enter their credentials, are hosted by Cloudflare. Leveraging reputable services like Cloudflare can make phishing scams appear more trustworthy, potentially lulling visitors into a false sense of security.
The targeted user in this case had a FIDO key registered to secure their account. Normally, the user would be required to physically interact with the FIDO key—touching it, for example, to confirm they’re the ones logging in and are on the registered device.
If a user whose account is protected by a FIDO key enters their username and password into the phishing page, their credentials will be stolen—just as any other user. But with a FIDO key protecting their account, the attackers are unable to physically interact with the second form of authentication.
This is where things took a turn from your traditional phishing site. After entering their username and password on the phishing site, the user was presented with a QR code.
What happened behind the scenes is the phishing site automatically sent the stolen username and password to the legitimate login portal of the organization, along with a request to utilize the cross-device sign-in feature of FIDO keys. The login portal then displayed a QR code.
How cross-device sign-in works
Under normal circumstances, when a user wants to sign in to their account from a different, unregistered device, they can still verify their identity if they’ve enrolled another authentication device. In most cases, this would be an MFA authentication app installed on a mobile device, most of which include a QR code scanner. The login portal displays a QR code after it receives the correct username and password, which the user scans with their MFA authenticator. The login portal and the MFA authenticator communicate to verify the login, and the user is granted access.
In the case of this attack, the bad actors have entered the correct username and password and requested cross-device sign-in. The login portal displays a QR code, which the phishing site immediately captures and relays back to the user on the fake site. The user scans it with their MFA authenticator, the login portal and the MFA authenticator communicate, and the attackers are in.
This process—while seemingly complicated—effectively bypasses any protections that a FIDO key grants, and gives the attackers access to the compromised user’s account, including access to any applications, sensitive documents, and tools such access provides.
Thankfully in this incident, no further evidence of malicious activity was discovered beyond bypassing the FIDO key and creating an active session. We suggested reviewing all authentication devices associated with the account, ending all affected user’s account sessions, and resetting all affected user’s passwords to expel the attacker from the environment.
Another FIDO key incident
Sadly, this isn’t the only incident that we’ve seen recently where bad actors are abusing FIDO keys to gain control of a user’s account. In another incident, where we believe an account was compromised through a phishing email, an attacker reset the user’s password and then enrolled their own FIDO key within the account. What’s concerning about this incident is that it doesn’t include an elaborate process of tricking the user into approving the attacker’s sessions; the attacker did it as if it were just one more box to tick during a run-of-the-mill attack.
FIDO keys haven’t gone to the dogs
The rise of attacks against and using FIDO keys hasn’t changed the fact that they are still a worthwhile investment when it comes to securing accounts. It does, however, add to the list of things that security teams will need to audit. But what are the telltale signs of suspicious activity?
Reviewing the logs of your authentication applications is a good starting point. Here are some areas you can investigate:
- Are logins that request cross-device sign-in coming from locations that the user is expected to log in from? It may be worth limiting the geographic locations that users are allowed to log in from, and establish a registration process for when a user travels to new locations.
- Similarly, was a key registered from an unusual geographic location? Overall, it’s a good idea to look for the registration of unfamiliar or unexpected keys. Have multiple FIDO keys been registered for one user? Even more telling—were multiple keys registered in quick succession?
- Are you seeing unrecognizable or non-reputable key brands registered? For instance, if your company uses only one brand of FIDO keys, you shouldn’t be seeing anything beyond that.
There’s also an additional security feature available when using cross-device sign-in—require Bluetooth communication between the mobile device with the MFA authenticator and the unregistered device the user is attempting to log into. This effectively means the user has to be at the system that’s logging into the portal when they scan the QR code. Enabling this feature will reduce the chances that attackers can use this AitM phishing attack to almost zero.
AitM attacks against FIDO keys and attacker-controlled FIDO keys are just the latest in a long line of examples where bad actors and defenders up the ante in the fight to compromise/protect user accounts. For a while now, MFA had been touted as a necessary security tool in the event that a password was stolen. Prior to that, strong passwords were championed to prevent easily guessed passwords from allowing access. And so on. Arguably, you could trace this pattern all the way back to the advent of the password itself.
This is a battle that’s been going on for a very long time. While this is the latest development to be aware of, it certainly won’t be the last.