{"id":5509,"date":"2025-07-21T10:06:07","date_gmt":"2025-07-21T10:06:07","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/07\/21\/new-poisonseed-attack-let-attackers-trick-users-into-scanning-a-qr-code-with-an-mfa-authenticator\/"},"modified":"2025-07-21T10:06:07","modified_gmt":"2025-07-21T10:06:07","slug":"new-poisonseed-attack-let-attackers-trick-users-into-scanning-a-qr-code-with-an-mfa-authenticator","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/07\/21\/new-poisonseed-attack-let-attackers-trick-users-into-scanning-a-qr-code-with-an-mfa-authenticator\/","title":{"rendered":"New PoisonSeed Attack Let Attackers Trick Users into Scanning a QR Code with an MFA Authenticator"},"content":{"rendered":"

New PoisonSeed Attack Let Attackers Trick Users into Scanning a QR Code with an MFA Authenticator
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

A sophisticated new attack technique compromises Fast IDentity Online (FIDO) key authentication by exploiting cross-device sign-in features.\u00a0<\/p>\n

The PoisonSeed attack group has developed a method to downgrade FIDO key protections through adversary-in-the-middle (AitM) phishing campaigns that trick users into scanning malicious QR codes with their MFA authenticators.\u00a0<\/p>\n

This development represents a significant escalation in identity-based attacks, which now account for 66.2% of security incidents according to recent threat intelligence reports.<\/p>\n

Key Takeaways<\/strong>
1. PoisonSeed tricks users into scanning malicious QR codes to bypass FIDO key protection.
2. Exploits cross-device sign-in by intercepting authentication between users and login portals.
3. Enable Bluetooth requirements and monitor authentication logs for suspicious activity.<\/pre>\n
How the PoisonSeed Attack Works<\/strong><\/h2>\n
Expel reports<\/a> that the attack begins with a conventional phishing email directing targets to fraudulent login pages that mimic legitimate authentication portals, such as fake Okta interfaces hosted on suspicious domains like okta[.]login-request[.]com.\u00a0<\/p>\n
When users with FIDO key protection enter their credentials on these phishing sites, attackers automatically relay the stolen username and password to the legitimate login portal while simultaneously requesting cross-device sign-in functionality.<\/p>\n
The malicious actors exploit the cross-device sign-in feature by capturing the QR code generated by the legitimate authentication system and displaying it to victims on the fake phishing page.\u00a0<\/p>\n
\n
\"PoisonSeed<\/figure>\n<\/div>\n
This technique effectively bypasses the physical interaction requirement typically associated with FIDO keys<\/a>, as users unknowingly complete the authentication process by scanning the QR code with their mobile MFA authenticator applications.<\/p>\n
Cross-device sign-in functionality was designed to help users authenticate on systems without registered passkeys by utilizing additional enrolled devices, typically mobile phones with MFA authenticator<\/a> applications.\u00a0<\/p>\n
\n
\"PoisonSeed<\/figure>\n<\/div>\n
Under normal circumstances, this process involves secure communication between the login portal and the MFA authenticator to verify user identity.\u00a0<\/p>\n
However, PoisonSeed attackers have weaponized this legitimate security feature by positioning themselves as intermediaries in the authentication flow.<\/p>\n
The attack leverages reputable infrastructure services like Cloudflare to host phishing domains such as aws-us3-manageprod[.]com, lending false credibility to the malicious sites.\u00a0<\/p>\n
This infrastructure choice helps the fraudulent login pages appear more trustworthy to potential victims, increasing the likelihood of successful credential harvesting.<\/p>\n
Mitigations<\/strong><\/h2>\n
Despite these attacks, FIDO keys remain valuable security investments, though organizations must now audit authentication logs more carefully for suspicious activity.\u00a0<\/p>\n
Security teams should monitor for cross-device sign-in requests from unusual geographic locations, unexpected FIDO key registrations, and multiple keys registered in rapid succession.<\/p>\n
A critical defensive measure involves enabling Bluetooth communication requirements between mobile devices and unregistered systems during cross-device sign-in processes, which would reduce AitM attack<\/a> effectiveness to nearly zero.\u00a0<\/p>\n
Organizations should also review authentication devices associated with compromised accounts, terminate affected user sessions, and reset passwords when incidents are detected.<\/p>\n
Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams ->\u00a0Try ANY.RUN Now<\/a>\u00a0<\/strong><\/p>\n
The post New PoisonSeed Attack Let Attackers Trick Users into Scanning a QR Code with an MFA Authenticator<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n
 \t

\n 
<\/BR>
\n    Kaaviya
\n \t

\n
<\/BR>
\nGo to cyber-security-news<\/a>
\n \t

\n 
<\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"
New PoisonSeed Attack Let Attackers Trick Users into Scanning a QR Code with an MFA Authenticator A sophisticated new attack technique compromises Fast IDentity Online (FIDO) key authentication by exploiting cross-device sign-in features.\u00a0 The PoisonSeed attack group has developed a method to downgrade FIDO key protections through adversary-in-the-middle (AitM) phishing campaigns that trick users into […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[677,129,63,131],"tags":[130],"class_list":["post-5509","post","type-post","status-publish","format-standard","hentry","category-cyber-attack-article","category-cyber-security","category-cyber-security-news","category-vulnerability","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/5509"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=5509"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/5509\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=5509"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=5509"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=5509"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}