Giving Cybercriminals the Keys of the Castle

In a concerning evolution of phishing tactics, a financially motivated threat actor known as PoisonSeed has developed a sophisticated adversary-in-the-middle (AitM) campaign that bypasses even the strongest multifactor authentication mechanisms—FIDO keys—without breaching the underlying cryptographic protections. Instead, they exploit legitimate cross-device sign-in flows and QR code-based login features to deceive users into authenticating attacker sessions themselves.

This method does not rely on malware or zero-day exploits, but on misusing legitimate login infrastructure and exploiting user trust. By combining credential phishing with cross-device abuse, PoisonSeed effectively turns users into unwitting accomplices in the breach of their own accounts. The result is an elegant, highly effective attack chain that underscores the pressing need to reexamine how authentication protocols interact with user behavior—and how threat actors can weaponize that behavior against even the most secure systems.

Victims: Targeting the Keepers of Enterprise Access

The campaign targets corporate employees across cloud-reliant organizations, focusing on roles that commonly interact with cloud-based identity providers and enterprise tools. These include users in IT administration, sales operations, and financial departments, all of whom typically hold credentials to privileged or high-value systems.

These individuals regularly use identity platforms like Okta, Microsoft Azure AD, and similar authentication services to access internal applications and external SaaS platforms. Because of their operational role, their credentials often unlock a wide range of systems—from email and file storage to ticketing platforms and CRMs. PoisonSeed’s phishing lures exploit this ubiquity and familiarity: by mimicking common login requests and exploiting the speed and convenience of QR-based sign-in, they lead victims into scanning malicious QR codes without noticing anything suspicious.

The Breach: Abusing Cross-Device Trust to Hijack Logins

The attack begins with a phishing email disguised as a routine corporate login alert—typically prompting a password reset or security verification. The user is redirected to a spoofed sign-in page, cloned to resemble the target company’s actual Okta portal. Upon entering credentials into this fake login page, the information is silently forwarded to the legitimate authentication endpoint.

At this stage, the real authentication flow is triggered—but instead of presenting the login form to the attacker directly, the identity provider generates a QR code for cross-device login. The phishing site retrieves this QR code and immediately displays it back to the user, who, unaware of the deception, scans the code using their mobile authenticator app or FIDO-based MFA device.

By doing so, the user unknowingly completes the legitimate authentication for the attacker’s session.

In more advanced cases, the attacker goes a step further by registering their own FIDO security key after gaining access—effectively establishing long-term persistence that may survive password resets or access reviews.

The data compromised includes not only username and password pairs, but also session tokens, authentication artifacts, and direct access to cloud environments, giving attackers the ability to move laterally across the environment or pivot into email, storage, and CRM systems.

Time to Get a New Door Lock: Measures to Fend Off PoisonSeed

To defend against this subtle and dangerous campaign, organizations must implement a layered strategy that hardens authentication flows, monitors behavioral anomalies, and educates users to recognize social engineering at the interface level. Below are concrete steps to mitigate the threat:

Technical and Identity Controls

• Enforce phishing-resistant MFA across all logins and account recovery workflows.

• Disable cross-device sign-in and QR-based authentication flows unless absolutely necessary for business operations.

• Block the reuse or relay of QR codes between domains and sessions.

• Alert on or prevent new FIDO key enrollments from unfamiliar IPs, geolocations, or devices.

• Monitor for unusual session initiation patterns, including those involving real credentials from unrecognized endpoints.

• Log all QR generation events tied to FIDO flows for auditing and anomaly detection.

Endpoint and Network Defenses

• Use EDR or XDR solutions capable of detecting session hijacking attempts and malicious behavior post-authentication.

• Apply session binding between authentication and user context (device fingerprinting, IP reputation, behavioral profiling).

• Implement network segmentation for high-privilege accounts to limit lateral movement after compromise.

User Awareness and Training

• Train users to validate the domain and context of QR-based login prompts before scanning.

• Encourage skepticism of login prompts that arrive outside normal workflows, especially those claiming urgency.

• Simulate phishing scenarios involving QR-based login abuse to build awareness of this emerging tactic.

The PoisonSeed campaign proves once again that strong authentication standards are only as effective as their real-world implementations. FIDO keys, QR codes, and cross-device flows are all designed with user convenience in mind—but that convenience can become a liability when exploited by adversaries who understand the nuances of human behavior and authentication design.

Organizations must not only deploy the best tools but also apply security thinking to every link in the chain—including how users interact with authentication mechanisms. Technical strength must be complemented by behavioral safeguards, continuous monitoring, and cultural readiness.

This isn’t just about updating security settings—it’s about recognizing that the castle walls no longer matter if the guards are tricked into opening the gates themselves.

https://thehackernews.com/2025/07/poisonseed-hackers-bypass-fido-keys.html?m=1