CyberHappenings logo
🏠 Home 📂 Browse ℹ️ About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

FIDO Authentication Bypass via Downgrade Attack

First reported
Last updated
📰 1 unique sources, 1 articles

Summary

Hide ▲

A new proof-of-concept demonstrates how phishing kits can bypass FIDO authentication by exploiting a downgrade attack. The attack targets Microsoft Entra ID, tricking it into using alternative authentication methods. This method leverages the Evilginx framework to relay login attempts, making it appear as if they originate from non-FIDO-compliant devices. The attack starts with a phishing link that directs victims to a legitimate Entra ID login page. The phishlet spoofs the user agent string to signal a FIDO-unsupported browser-OS combination, prompting Entra ID to redirect to an alternative MFA method. This allows attackers to capture credentials and MFA tokens, obtaining a valid session token. This vulnerability highlights the need for stricter FIDO compliance and the risks associated with fallback authentication methods.

Timeline

  1. 15.08.2025 00:43 📰 1 articles · ⏱ 1mo ago

    Proof-of-concept demonstrates FIDO bypass via downgrade attack

    Researchers from Proofpoint developed a PoC showing how phishing kits can bypass FIDO authentication in Microsoft Entra ID. The attack uses the Evilginx framework to relay login attempts, spoofing user agent strings to prompt Entra ID to use alternative MFA methods. This allows attackers to capture credentials and session tokens. The attack starts with a phishing link that directs victims to a legitimate Entra ID login page. The phishlet spoofs the user agent string to signal a FIDO-unsupported browser-OS combination, prompting Entra ID to redirect to an alternative MFA method. This allows attackers to capture credentials and MFA tokens, obtaining a valid session token.

    Show sources
    Open in new tab

Information Snippets

  • FIDO authentication relies on public-private key cryptography to ensure credentials never leave the device.

    First reported: 15.08.2025 00:43
    📰 1 source, 1 article
    Show sources

  • The downgrade attack uses the Evilginx framework to relay login attempts, spoofing user agent strings to bypass FIDO.

    First reported: 15.08.2025 00:43
    📰 1 source, 1 article
    Show sources

  • The attack redirects victims to alternative MFA methods, allowing attackers to capture credentials and session tokens.

    First reported: 15.08.2025 00:43
    📰 1 source, 1 article
    Show sources

  • Proofpoint has not observed this specific attack in the wild, but the PoC demonstrates a viable threat.

    First reported: 15.08.2025 00:43
    📰 1 source, 1 article
    Show sources

  • Organizations often prioritize user access over strict FIDO compliance, leading to fallback authentication methods.

    First reported: 15.08.2025 00:43
    📰 1 source, 1 article
    Show sources

Similar Happenings

UNC6395 Exploits Salesloft OAuth Tokens to Exfiltrate Salesforce Data

UNC6395 exploited Salesloft OAuth tokens to exfiltrate data from Salesforce instances. The campaign, active from August 8 to 18, 2025, targeted over 700 organizations, exporting credentials and sensitive information. Zscaler, Palo Alto Networks, Cloudflare, Google, PagerDuty, Proofpoint, SpyCloud, Tanium, and Workiva were impacted by the breach, exposing customer information. Salesloft and Salesforce have taken remediation steps, and the threat actor demonstrated operational security awareness. The breach involved exporting large volumes of data from Salesforce instances, including AWS access keys, passwords, and Snowflake tokens. The actor deleted query jobs to cover tracks. Salesloft has revoked connections and advised customers to re-authenticate Salesforce integrations. The campaign may indicate a broader supply chain attack strategy. Salesloft has engaged Mandiant and Coalition for investigation and remediation. Drift customers are urged to update API keys for connected integrations. Salesforce removed the Drift application from the Salesforce AppExchange until further notice. Google has revealed that the campaign impacts all integrations, including Google Workspace email accounts, and has taken steps to mitigate the risk. Salesloft is temporarily taking Drift offline to review the application and build additional security measures. Okta successfully prevented a breach of its Salesforce instance by enforcing inbound IP restrictions, securing tokens with DPoP, and using the IPSIE framework. Okta recommends that organizations demand IPSIE integration from application vendors and implement an identity security fabric unified across applications.

Open in new tab

APT36 leverages Linux .desktop files for malware deployment in ongoing espionage campaign

APT36, a Pakistani threat actor also known as Transparent Tribe, is exploiting Linux .desktop files to install malware in attacks targeting government and defense entities in India. The campaign, active since August 1, 2025, aims at data exfiltration and maintaining persistent access. The attacks use phishing emails to deliver ZIP archives containing malicious .desktop files disguised as PDFs. The malware, a Go-based ELF executable, establishes persistence and communicates via a WebSocket channel for command and control. The campaign also targets Windows and BOSS Linux systems, using decoy PDFs and anti-debugging techniques to evade detection.

Open in new tab

Clickjacking vulnerabilities in major password managers

Six major password managers are vulnerable to unpatched clickjacking flaws that could allow attackers to steal account credentials, 2FA codes, and credit card details. The vulnerabilities, dubbed DOM-based extension clickjacking, can be exploited when users visit malicious pages or sites vulnerable to cross-site scripting (XSS) or cache poisoning, where attackers overlay invisible HTML elements over the password manager interface. Users may unknowingly trigger autofill actions that leak sensitive information. The flaws were presented at DEF CON 33 by independent researcher Marek Tóth and verified by Socket. Affected password managers include 1Password, Bitwarden, Enpass, iCloud Passwords, LastPass, and LogMeOnce. Bitwarden has released a fix, but patches are not yet available for all products. Users are advised to disable the auto-fill function and use copy/paste until fixes are available.

Open in new tab

PyPI blocks 1,800 expired-domain emails to prevent account takeovers

The Python Package Index (PyPI) has implemented a new security measure to block 1,800 email addresses associated with expired domains. This change aims to prevent supply chain attacks by mitigating the risk of domain resurrection attacks. PyPI now checks for expired domains and marks corresponding email addresses as unverified. This update enhances account security by addressing a significant attack vector that could allow unauthorized access to accounts. The threat of domain resurrection attacks arises when attackers purchase expired domains and use them to take control of PyPI accounts through password resets. This measure is part of ongoing efforts to secure the Python package ecosystem. PyPI uses Domainr’s Status API to verify domain status every 30 days.

Open in new tab