New Downgrade Attack Vulnerable to FIDO Authentication in Microsoft Entra ID
Security researchers have identified a new FIDO downgrade attack targeting Microsoft Entra ID, which deceives users into using less secure login methods, thereby increasing their vulnerability to phishing and session hijacking. These compromised login channels are susceptible to adversary-in-the-middle phishing attacks, utilising tools like Evilginx, which allow attackers to capture valid session cookies and take over accounts. While this attack does not expose a flaw in the FIDO protocol itself, it highlights a significant bypass in the system, raising concerns as FIDO-based authentication becomes more prevalent in critical environments, where it is often regarded as highly resistant to phishing attempts.
The downgrade attack, developed by Proofpoint researchers, employs a custom phishlet within the Evilginx adversary-in-the-middle framework to mimic a browser user agent that does not support FIDO. Specifically, the researchers spoof Safari on Windows, a browser incompatible with FIDO-based authentication in Microsoft Entra ID. This seemingly minor functionality gap can be exploited by attackers, as noted by Proofpoint researcher Yaniv Miron. When a target clicks a phishing link sent via email, SMS, or an OAuth consent prompt, they are redirected to a phishing site running the custom phishlet. The legitimate Microsoft Entra ID form is proxied by the phishing platform, and due to the spoofed user agent, FIDO authentication is disabled, prompting the user to select a less secure verification method. If the user opts for an alternative method, the AiTM proxy intercepts their credentials and MFA tokens, allowing the attacker to gain full access to the victim’s account, which was initially designed to be phishing-resistant.
Categories: FIDO Authentication, Phishing Attacks, Session Hijacking
Tags: FIDO, Downgrade Attack, Microsoft Entra ID, Phishing, Session Hijacking, Adversary-in-the-Middle, Evilginx, Passwordless Authentication, MFA, Phishlet