CinchOps Cybersecurity Alert: PoisonSeed Attackers Exploit Cross-Device Sign-In to Bypass FIDO Key Protections

The cybersecurity community has identified a concerning new attack technique that undermines one of the most trusted security technologies available today. The PoisonSeed threat group has developed a method to bypass FIDO key protections by exploiting legitimate cross-device authentication features, turning a security convenience into a phishing opportunity.

 Description of the Attack

FIDO keys are hardware- or software-based authenticators designed to eliminate phishing by binding logins to specific domains using public-private key cryptography. However, PoisonSeed attackers have found a way to circumvent these protections without exploiting any technical vulnerabilities in the FIDO implementation itself.

The attack leverages the cross-device sign-in feature, which allows users to authenticate on one device using a security key or authenticator app stored on another device. Cross-device sign-in allows users to sign-in on a device that does not have a passkey using a second device that does hold the cryptographic key, such as a mobile phone.

The attack process unfolds in several coordinated steps:

• Victims receive phishing emails directing them to fake enterprise login portals that closely mimic legitimate services like Okta or Microsoft 365
• When users enter their credentials, the malicious site automatically forwards this information to the real login portal
• The phishing site requests cross-device authentication, causing the legitimate portal to generate a QR code
• This QR code is immediately captured and displayed to the victim on the fake site
• When users scan the QR code with their mobile authenticator, they unknowingly approve the attacker’s login session

What makes the attack noteworthy is that it gets around protections offered by FIDO keys and enables threat actors to obtain access to users’ accounts. The compromise method does not exploit any flaw in the FIDO implementation. Rather, it abuses a legitimate feature to downgrade the authentication process.

(PoisonSeed Attack Chain – Source: Expel)

 Severity of the Issue

This attack represents a HIGH severity threat to organizations relying on FIDO keys for authentication security. The technique successfully bypasses what many consider the gold standard of phishing-resistant authentication methods. While the attack doesn’t exploit technical vulnerabilities, it demonstrates how legitimate security features can be weaponized through social engineering.

The severity is particularly concerning because FIDO keys have been widely promoted as a solution to credential theft and phishing attacks. Organizations that have invested heavily in FIDO deployment may have a false sense of security regarding their authentication mechanisms.

 How the Attack is Exploited

The PoisonSeed attack employs an adversary-in-the-middle (AitM) approach that manipulates the cross-device authentication flow. The phishing site then instructs the legitimate login page to use the hybrid transport method for authentication, which causes the page to serve a QR code that’s subsequently sent back to the phishing site and presented to the victim.

Key technical elements include:

• Real-time QR code interception: The attack captures QR codes from legitimate portals and displays them on phishing sites within seconds
• Session hijacking: Once the victim scans the QR code, attackers gain access to the authenticated session
• Cross-device manipulation: The technique specifically targets authentication flows that don’t enforce strict proximity checks like Bluetooth connectivity

This technique doesn’t work in all scenarios. It specifically targets users authenticating via cross-device flows that don’t enforce strict proximity checks—such as Bluetooth or local device attestation.

(PoisonSeed QR Code Example – Source: Expel)

 Who is Behind the Attack

The activity, observed by Expel as part of a phishing campaign in the wild, has been attributed to a threat actor named PoisonSeed. This group has been active since early 2025 and has demonstrated sophisticated capabilities across multiple attack vectors.

PoisonSeed’s previous activities include:

• Compromising customer relationship management (CRM) tools and bulk email providers
• Conducting cryptocurrency seed phrase poisoning attacks
• Targeting high-value individuals and enterprise organizations
• Operating large-scale phishing campaigns for financial fraud

PoisonSeed threat actors are targeting enterprise organizations and individuals outside the cryptocurrency industry. The group has shown particular interest in compromising accounts at major technology platforms and email service providers to facilitate their broader criminal operations.

 Who is at Risk

Multiple categories of users and organizations face exposure to this attack technique:

Enterprise Users: Employees at organizations using FIDO keys for authentication are primary targets, especially those accessing corporate portals through Okta, Microsoft 365, or similar identity management platforms.

Cross-Device Authentication Users: Individuals who regularly authenticate using QR codes or cross-device flows are particularly vulnerable to this specific attack vector.

High-Value Targets: Given PoisonSeed’s history of targeting cryptocurrency holders and enterprise executives, users with access to sensitive financial or business systems face elevated risk.

Organizations with Flexible FIDO Policies: If a user’s environment mandates hardware security keys plugged directly into the login device, or uses platform-bound authenticators (like Face ID tied to the browser context), the attack chain breaks.

The attack is most effective against organizations that have implemented FIDO authentication but haven’t enforced strict proximity requirements for cross-device authentication flows.

 Remediation Strategies

Organizations can implement several defensive measures to protect against this attack technique:

Proximity Enforcement: Require Bluetooth communication between mobile devices and login systems for cross-device authentication. Enabling this feature will reduce the chances that attackers can use this AitM phishing attack to almost zero.

Authentication Policy Hardening: When possible, require logins to occur on the same device holding the passkey, which eliminates the cross-device attack vector entirely.

Enhanced Monitoring: Security teams should watch for unusual QR code logins or new passkey enrollments. Implement alerting for unexpected authentication patterns or device registrations.

Geographic Restrictions: Limit the geographic locations from which users can authenticate and establish approval processes for travel-related exceptions.

User Education: Train employees to recognize suspicious QR code requests and verify the legitimacy of login portals before entering credentials.

Account Recovery Security: Account recovery options should use phishing-resistant methods, and login screens—especially for cross-device sign-ins—should show helpful details like location, device type, or clear warnings to help users spot suspicious activity.

Multi-Layered Verification: Implement additional verification steps for sensitive account changes, including new FIDO key enrollments or password resets.

 How CinchOps Can Help

Protecting your organization against sophisticated attacks like PoisonSeed’s FIDO bypass requires comprehensive cybersecurity expertise and advanced monitoring capabilities. CinchOps provides the technical knowledge and security infrastructure needed to defend against evolving authentication threats.

Our managed IT security services include:

• Advanced Threat Detection: Continuous monitoring for unusual authentication patterns and suspicious QR code-based login attempts
• Identity and Access Management: Implementation of robust authentication policies with proper proximity controls and device verification
• Security Awareness Training: Comprehensive employee education programs focused on recognizing advanced phishing techniques and social engineering attacks
• Incident Response Planning: Rapid response capabilities to contain and remediate authentication bypass attempts before they cause significant damage
• Compliance and Policy Development: Expert guidance on implementing FIDO authentication with appropriate security controls and monitoring mechanisms

CinchOps understands that even the most advanced security technologies can be circumvented through sophisticated social engineering. Our proactive approach combines technical controls with user education to create multiple layers of defense against emerging threats like the PoisonSeed FIDO bypass attack.

 Discover More 

Discover more about our enterprise-grade and business protecting cybersecurity services: CinchOps Cybersecurity
Discover related topics: Massive Network of Fake News Sites Fuels Global Investment Fraud
For Additional Information on this topic: Phishing Attack Bypasses FIDO Key Authentication

FREE CYBERSECURITY ASSESSMENT