Hackers using specialized phishing tools for downgrade attacks on FIDO authentication

A sophisticated new threat vector has emerged that could undermine one of the most trusted authentication methods in cybersecurity. FIDO-based passkeys, long considered the gold standard for phishing-resistant authentication, are now facing a potentially devastating attack technique that forces users to downgrade to less secure authentication methods. This attack exploits a critical vulnerability in FIDO implementation across major platforms, particularly Microsoft Entra ID, where certain web browsers lack full passkey support. This seemingly minor compatibility gap creates an opportunity for cybercriminals to manipulate the authentication process, compelling victims to use traditional multi-factor authentication methods that are susceptible to adversary-in-the-middle attacks. Modern phishing campaigns have evolved significantly with the rise of sophisticated AiTM phishing kits like Evilginx, EvilProxy, and Tycoon, which have made session hijacking more accessible to threat actors.

Proofpoint researchers identified this emerging threat after discovering that standard phishlets typically fail when encountering FIDO-secured accounts, prompting attackers to develop specialised techniques. The attack begins when victims receive phishing messages containing malicious links powered by a dedicated FIDO downgrade phishlet. Upon clicking, targets encounter what appears to be an authentication error, compelling them to select alternative sign-in methods. This deceptive interface mirrors legitimate Microsoft authentication pages, creating a convincing illusion of system malfunction. The core mechanism behind FIDO authentication downgrade attacks relies on sophisticated user agent spoofing techniques. Attackers configure their AiTM infrastructure to present itself as an unsupported browser environment, such as Safari on Windows, which lacks FIDO2 compatibility with Microsoft Entra ID. Once victims authenticate through the downgraded method, attackers intercept credentials and session tokens using reverse proxy servers, enabling complete account takeover without requiring additional authentication challenges.