Sessions within Entra ID can be hijacked if the correct authentication is disabled. A new attack allows malicious actors to perform a FIDO downgrade and take over accounts.
Fortunately for Microsoft, it was not cyber attackers but Proofpoint researchers who discovered the exploit. The technical ingenuity lies in the simplicity of the execution. The attackers simply modify the browser identification, causing Microsoft Entra ID to automatically disable FIDO authentication and generate an error message. This error prompts the user to choose an alternative verification method.
The attack starts when the target follows a phishing link via email or SMS. The malicious website uses a customized phishlet within the Evilginx adversary-in-the-middle (AiTM) framework. A phishlet is essentially a configuration file for phishing pages. This site uses a proxy for the legitimate Microsoft Entra ID forms, but at the same time spoofs an unsupported browser user agent.
Bypassing phishing-resistant authentication
For a successful attack, the researchers needed a browser without FIDO support. By emulating Safari on Windows, a combination of browser and OS that does not support FIDO authentication, users are forced to switch to alternative verification methods such as the Microsoft Authenticator app or SMS codes.
Once the user switches to a weaker authentication method, the AiTM proxy can intercept both the account details and the MFA token or session cookie. The attacker then imports the stolen cookie into their own browser, gaining full access to the victim’s account.
Limited practical application
So far, this technique has not been observed in real attacks. Proofpoint indicates that cybercriminals are currently focusing on easier targets, such as accounts without MFA protection. However, the risk remains, especially for targeted attacks on specific organizations or individuals. A large-scale campaign could quickly take over one or a few accounts, resulting in potential data leaks or IP theft.
Some readers may be familiar with this technique. However, the attack differs from an earlier FIDO downgrade technique called “PoisonSeed” developed by Expel researchers. That method ultimately proved impractical due to proximity requirements that caused fraudulent authentication requests to fail. In other words, it was a false alarm.
Security measures
Organizations can mitigate the risk by disabling fallback authentication methods where possible. Activating additional checks and confirmations when such processes are triggered can also help.
End users should be wary of sudden requests to use a different authentication method than the registered passkey. This is often a red flag indicating that something is wrong with the login process.
Although the attack does not demonstrate a vulnerability in FIDO itself, it proves that the system can be circumvented. This is a crucial weakness, especially given the increased adoption of FIDO-based authentication in critical environments, where the technology is presented as extremely phishing-resistant. Ultimately, all users must use FIDO-supported browsers, which is difficult to guarantee.