FIDO downgrade proof-of-concept for Microsoft Entra ID using Evilginx
Technical Analysis
Summary
Hide ▲
Show ▼
Researchers demonstrated a proof-of-concept downgrade attack against FIDO authentication for Microsoft Entra ID, showing a reusable path that could let phishing kits bypass passwordless login and steal sessions. The technique uses Evilginx and phishlets to push victims into MFA fallback instead of FIDO. The finding matters because it could be folded into commercial phishing-as-a-service kits, even though no in-the-wild attacks have been observed.
Related Happenings
Bitwarden adds passkey login for Windows 11 sign-in
Security Tool/Service
First: 05.03.2026 00:34
Last: 05.03.2026 00:34
Sources 1
About this happening:
**Bitwarden** added **passkey login** for **Windows 11**, expanding passwordless sign-in and reducing phishing exposure for users who store credentials in the vault.
Bitwarden adds passkey login for Windows 11 sign-in
Security Tool/ServiceAbout this happening: **Bitwarden** added **passkey login** for **Windows 11**, expanding passwordless sign-in and reducing phishing exposure for users who store credentials in the vault.
ConsentFix browser-native OAuth consent phishing campaign
Campaign
First: 14.01.2026 17:01
Last: 14.01.2026 17:01
Sources 1
About this happening:
The **ConsentFix** campaign is a **ClickFix**-style **OAuth consent phishing** operation that hijacks **Microsoft accounts** by abusing the **Azure CLI OAuth app**. In the reporte...
ConsentFix browser-native OAuth consent phishing campaign
CampaignAbout this happening: The **ConsentFix** campaign is a **ClickFix**-style **OAuth consent phishing** operation that hijacks **Microsoft accounts** by abusing the **Azure CLI OAuth app**. In the reporte...
Microsoft Windows 11 FIDO2 sign-in may prompt for PIN after WebAuthn-aligned updates
Security Tool/Service
First: 26.11.2025 16:43
Last: 26.11.2025 16:43
Sources 1
About this happening:
**Windows 11** FIDO2 sign-ins may now prompt users to create or enter a **PIN** after recent **WebAuthn**-aligned updates, changing passwordless authentication behavior on managed...
Microsoft Windows 11 FIDO2 sign-in may prompt for PIN after WebAuthn-aligned updates
Security Tool/ServiceAbout this happening: **Windows 11** FIDO2 sign-ins may now prompt users to create or enter a **PIN** after recent **WebAuthn**-aligned updates, changing passwordless authentication behavior on managed...
FIDO2 hardware-based biometric identity guidance to resist Tycoon 2FA relay phishing
Defensive Guidance
First: 18.11.2025 17:01
Last: 18.11.2025 17:01
Sources 1
About this happening:
A new defensive posture centers on **FIDO2 hardware-based biometric identity** to blunt **Tycoon 2FA**-style phishing that relays MFA and steals session cookies. The control matte...
FIDO2 hardware-based biometric identity guidance to resist Tycoon 2FA relay phishing
Defensive GuidanceAbout this happening: A new defensive posture centers on **FIDO2 hardware-based biometric identity** to blunt **Tycoon 2FA**-style phishing that relays MFA and steals session cookies. The control matte...
Timeline
-
15.08.2025 00:43 1 articles · 9mo ago
Proof-of-concept FIDO downgrade for Microsoft Entra ID
Technical Analysis UpdateProofpoint researchers published a proof-of-concept showing how phishing kits can bypass FIDO authentication against Microsoft Entra ID by using the open source Evilginx adversary-in-the-middle framework and phishlets to spoof the victim's user agent, trigger a FIDO-unsupported browser-OS response, and force a fallback MFA path that can yield a valid session token. Proofpoint said it had not observed this downgrade attack in the wild.
Show sources
- Downgrade Attack Allows Phishing Kits to Bypass FIDO — www.darkreading.com — 15.08.2025 00:43