Phishing kits exploit downgrade attack to bypass FIDO authentication
Summary
Hide β²
Show βΌ
Proofpoint researchers have demonstrated a downgrade attack technique that bypasses FIDO authentication for Microsoft Entra ID. The attack exploits phishing kits to trick users into using non-FIDO-compliant login methods. This technique, leveraging the Evilginx AitM framework, can be integrated into commercial phishing-as-a-service (PhaaS) kits. The attack involves sending a phishing link to the target, which serves a legitimate Entra ID login page. The phishlet spoofs the user agent string to signal a FIDO-unsupported browser-OS combination, prompting Entra ID to redirect the user to an alternative MFA method. The attacker then captures the victim's credentials and MFA token to gain unauthorized access. The attack underscores the need for organizations to enforce FIDO-exclusive login methods to mitigate such threats.
Timeline
-
15.08.2025 00:43 π° 1 articles
Proofpoint demonstrates FIDO downgrade attack using Evilginx AitM framework
Proofpoint researchers have shown how phishing kits can exploit a downgrade attack to bypass FIDO authentication for Microsoft Entra ID. The attack uses the Evilginx AitM framework to serve legitimate login pages and spoof user agent strings, tricking Entra ID into redirecting users to alternative MFA methods. This technique can be integrated into commercial phishing-as-a-service (PhaaS) kits, highlighting the need for organizations to enforce FIDO-exclusive login methods.
Show sources
- Downgrade Attack Allows Phishing Kits to Bypass FIDO β www.darkreading.com β 15.08.2025 00:43
Information Snippets
-
Proofpoint researchers demonstrated a downgrade attack technique that bypasses FIDO authentication for Microsoft Entra ID.
First reported: 15.08.2025 00:43π° 1 source, 1 articleShow sources
- Downgrade Attack Allows Phishing Kits to Bypass FIDO β www.darkreading.com β 15.08.2025 00:43
-
The attack uses the Evilginx AitM framework to serve legitimate login pages and spoof user agent strings.
First reported: 15.08.2025 00:43π° 1 source, 1 articleShow sources
- Downgrade Attack Allows Phishing Kits to Bypass FIDO β www.darkreading.com β 15.08.2025 00:43
-
The phishlet tricks Entra ID into redirecting users to alternative MFA methods, allowing attackers to capture credentials and MFA tokens.
First reported: 15.08.2025 00:43π° 1 source, 1 articleShow sources
- Downgrade Attack Allows Phishing Kits to Bypass FIDO β www.darkreading.com β 15.08.2025 00:43
-
The technique can be integrated into commercial phishing-as-a-service (PhaaS) kits.
First reported: 15.08.2025 00:43π° 1 source, 1 articleShow sources
- Downgrade Attack Allows Phishing Kits to Bypass FIDO β www.darkreading.com β 15.08.2025 00:43
-
Proofpoint has not observed this specific attack in the wild as of the report.
First reported: 15.08.2025 00:43π° 1 source, 1 articleShow sources
- Downgrade Attack Allows Phishing Kits to Bypass FIDO β www.darkreading.com β 15.08.2025 00:43
-
Enforcing FIDO-exclusive login methods can mitigate the risk of such downgrade attacks.
First reported: 15.08.2025 00:43π° 1 source, 1 articleShow sources
- Downgrade Attack Allows Phishing Kits to Bypass FIDO β www.darkreading.com β 15.08.2025 00:43
Similar Happenings
Axios Abuse and Salty 2FA Kits in Microsoft 365 Phishing Campaigns
Threat actors are leveraging HTTP client tools like Axios and Microsoft's Direct Send feature to execute advanced phishing campaigns targeting Microsoft 365 environments. These campaigns have demonstrated a 70% success rate, bypassing traditional security defenses and exploiting authentication workflows. The attacks began in July 2025 and have targeted executives and managers in various sectors, including finance, healthcare, and manufacturing. The phishing campaigns use compensation-themed lures to trick recipients into opening malicious PDFs containing QR codes that direct users to fake login pages. Additionally, a phishing-as-a-service (PhaaS) offering called Salty 2FA is being used to steal Microsoft login credentials and bypass multi-factor authentication (MFA). The Salty2FA kit includes advanced features such as subdomain rotation, dynamic corporate branding, and sophisticated evasion tactics to enhance its effectiveness and evade detection. Salty2FA activity began gaining momentum in June 2025, with early traces possibly dating back to MarchβApril 2025. The campaigns have been active since late July 2025 and continue to this day, generating dozens of fresh analysis sessions daily. Salty2FA targets industries including finance, energy, telecom, healthcare, government, logistics, IT consulting, education, construction, chemicals, industrial manufacturing, real estate, consulting, metallurgy, and more.
Clickjacking flaws in multiple password managers
Six major password managers have unpatched clickjacking vulnerabilities that could allow attackers to steal account credentials, 2FA codes, and credit card details. The flaws were demonstrated at DEF CON 33 by independent researcher Marek TΓ³th. Affected password managers include 1Password, Bitwarden, Enpass, iCloud Passwords, LastPass, and LogMeOnce. The attack exploits browser-based autofill features, overlaying invisible HTML elements to trick users into leaking sensitive information. The vulnerabilities were disclosed to vendors in April 2025, with public disclosure planned for August 2025. Some vendors have acknowledged the issues but downplayed their severity. Bitwarden has released a patch, version 2025.8.0, to address the vulnerabilities. Users are advised to disable autofill and use copy/paste until fixes are available.