Security researchers have identified a novel phishing technique that leverages QR codes presented during simulated multifactor authentication (MFA) processes to bypass FIDO-based protections. The method exploits legitimate cross-device sign-in flows — without compromising the underlying FIDO standard — by manipulating user behavior and undermining core assumptions of phishing-resistant authentication.
The Attack in Detail
The phishing campaign begins with victims receiving a socially engineered email, leading them to a counterfeit corporate login portal imitating services such as Okta, Microsoft 365, or similar identity providers. Upon inputting their credentials, users unwittingly initiate a legitimate login session — not on their own behalf, but on behalf of the attacker operating in the background.
Once credentials are harvested, the attacker uses them to authenticate with the real service. During this process, the attacker requests a cross-device sign-in — a legitimate fallback method for users who need to authenticate on a device where their FIDO hardware key isn’t available. As part of this process, the authentic service generates a QR code, intended for use by the real account owner.
The attacker’s phishing page then displays this QR code to the unsuspecting victim, framed as the next step in completing their MFA. When the user scans the QR code using their trusted mobile authenticator app or enrolled device, they unknowingly approve the attacker’s session — thereby handing over full account access in real time.
Understanding the Exploit
Importantly, this attack does not compromise FIDO authentication mechanisms or any cryptographic elements of WebAuthn or security keys. Instead, it exploits a user-facing feature — cross-device QR code prompts — through social engineering.
Key Characteristics of the Attack:
- Trust Exploitation: Users believe they are scanning a legitimate QR code as part of standard MFA, unaware it was generated by the attacker.
- Seamless Session Relay: Real-time phishing kits mirror authentication requests and capture QR codes, allowing attackers to serve them directly to the victim via a fake interface.
- Designed to Evade Traditional Protections: The campaign avoids detection by security tools that primarily look for password theft or abuse of SMS/OTP-based MFA rather than phishing-resistant flows.
Attribution and Impact
Threat actors implementing this method include the “PoisonSeed” group, a financially motivated operation targeting enterprise accounts, particularly those connected to payment tools, cryptocurrency platforms, and corporate access systems.
Features of the campaign include:
- Automated attacker-in-the-middle phishing kits capable of relaying live authentication sessions.
- Dynamic session hijacking where victims unknowingly authorize attackers through QR-based flows.
- Increasingly polished phishing interfaces capable of mimicking enterprise login pages with high accuracy.
