Proofpoint Reveals FIDO Downgrade Phishing Attack

Published Date : 8/14/2025 

Enterprise cybersecurity provider Proofpoint has discovered a new phishing attack that can bypass FIDO authentication, posing a significant threat to Microsoft Entra ID users across various browsers. 

A new downgrade attack designed to bypass FIDO authentication with a “dedicated phishlet” has been discovered by enterprise cybersecurity provider Proofpoint. The adversary-in-the-middle (AiTM) attack starts out in a recognizable way, with a phishing message that includes a link to a webpage that looks like a legitimate login portal, but is a malicious fake, a blog post from the Canada-based company explains. From there, however, it differs, and unlike other downgrade attacks that affect certain implementations of FIDO authentication, in particular with Windows Hello for Business (WHfB), it can be used to phish Microsoft Entra ID users regardless of the implementation.

Because FIDO2 authentication, such as with passkeys, is not supported with Entra on all browsers, hackers can spoof an unsupported user agent, such as Safari on Windows, with a specially crafted phishlet. A phishlet, Proofpoint explains, “is a configuration file or template used by phishing kits to define the impersonation of legitimate websites and interception of user credentials and session tokens.”

Legacy phishlets are designed to harvest traditional credentials and bypass legacy multi-factor authentication (MFA) systems, and return an error when faced with FIDO authentication. But Proofpoint researchers have built a dedicated phishlet using the Evilginx AiTM attack framework that forces the target to use a less secure authentication method. The less secure login credential, such as a verification code from the Microsoft Authenticator app, is intercepted along with the session cookie, and the attacker imports the cookie into their browser.

Despite the lack of observed usage by threat actors, Proofpoint considers FIDO authentication downgrade attacks as a significant emerging threat. These attacks could be carried out by sophisticated adversaries and APTs (namely state-sponsored actors or technically savvy hackers). A passkey downgrade attack was recently reported and then walked back, with a recommendation that FIDO protects against legacy “phishable” MFA, so long as FIDO Cross-Device Authentication flow is properly implemented.

Proofpoint's discovery underscores the ongoing need for robust security measures and continuous monitoring to protect against evolving threats in the digital landscape. Organizations should remain vigilant and ensure that their authentication systems are up-to-date and fortified against such sophisticated attacks. 

Frequently Asked Questions (FAQS): 

Q: What is a FIDO authentication downgrade attack?

A: A FIDO authentication downgrade attack is a type of phishing attack where hackers force users to use a less secure authentication method, such as a verification code from an app, instead of the more secure FIDO2 authentication.

Q: How does the phishlet work in this attack?

A: A phishlet is a configuration file used by phishing kits to impersonate legitimate websites and intercept user credentials and session tokens. In this attack, it forces the target to use a less secure authentication method.

Q: What is Proofpoint's role in this discovery?

A: Proofpoint, an enterprise cybersecurity provider, discovered and detailed the new FIDO authentication downgrade attack, highlighting its potential risks and the methods used by threat actors.

Q: Which users are most at risk from this attack?

A: Microsoft Entra ID users are particularly at risk, especially those using browsers that do not fully support FIDO2 authentication, such as Safari on Windows.

Q: What can organizations do to protect against this threat?

A: Organizations should ensure their authentication systems are up-to-date, implement FIDO2 authentication where possible, and train employees to recognize and avoid phishing attempts. 

More Related Topics :