Cybercrime
,
Fraud Management & Cybercrime
,
Multi-factor & Risk-based Authentication
PoisonSeed Threat Actor Uses Cross-Device Login Feature and QR Code to Trick Users
Expel researchers have found a novel adversary-in-the-middle phishing technique used by PoisonSeed, a cybercrime group previously tied to large-scale cryptocurrency thefts, to sidestep one of the most secure forms of multifactor authentication – FIDO2 physical keys.
See Also: Top 10 Technical Predictions for 2025
While the FIDO protocol itself remains uncompromised, Expel researchers in a report said attackers have discovered a way to “downgrade” FIDO protections by taking advantage of a legitimate cross-device sign-in feature that allows users to log in from a new system using a companion mobile device registered with their FIDO credentials. PoisonSeed’s phishing campaign exploits this process and uses QR codes that facilitate unauthorized access.
“The hardware and cryptography remain sound yet the convenience features around them can be turned against you.”
– Jason Soroko, senior fellow, Sectigo
FIDO2 security keys – physical devices that enable passwordless authentication for online services – were designed to counter threats posed by phishing, SIM swapping and other weaknesses inherent in SMS or email-based MFA.
But the PoisonSeed attack chain bypasses the FIDO key, beginning with a phishing email. Victims are directed to a fake login page impersonating the organization’s Okta portal. Once users enter their username and password, the phishing site sends those stolen credentials to the real authentication service and requests a cross-device sign-in, which triggers a QR code to be generated.
That QR code is immediately displayed on the phishing site, deceiving the victim into scanning it with their mobile authenticator app, thinking it’s part of the usual sign-in process. Once scanned, the legitimate system links the mobile device with the attacker-controlled session, effectively handing over access to protected applications, documents and services.
“This is a concerning development, given that FIDO keys are often regarded as one of the pinnacles of secure multifactor authentication,” Expel’s security operations team said. “This attack demonstrates how a bad actor could run an end-route around an installed FIDO key.”
Jason Soroko, senior fellow at Sectigo, said the phishing attack cleverly mirrored a QR code from the real authentication system back to victims, tricking them into scanning it and completing the FIDO challenge, all while their physical security key remained unused. This sleight-of-hand allowed the attacker to gain access without ever touching the actual key.
“The hardware and cryptography remain sound yet the convenience features around them can be turned against you,” Soroko said. “Defenders can mitigate this technique by disabling cross-device sign-in where possible, enforcing Bluetooth proximity checks, monitoring for unexpected key registrations and geographies and teaching staff to treat any QR prompt after a password entry as a probable trap.”
Expel said the infrastructure behind the phishing page was hosted on newly registered domains through Cloudflare, adding an air of legitimacy that likely helped avoid user suspicion. In one observed incident, the attackers managed to not only initiate a valid session but also enroll their own FIDO key to persist access, without needing to trick users again.
“Even the best defenses can be skirted with enough social engineering and creativity.”
– Expel researchers
Though the incident was quickly contained, the implications are far-reaching. “No vulnerability in FIDO was exploited directly,” Expel said. “But the combination of phishing, QR codes and legitimate sign-in workflows created a path of least resistance.”
Security teams are advised to monitor authentication logs for unexpected cross-device sign-in activity, unfamiliar FIDO key registrations, or anomalous geographic locations. Expel also recommends enabling Bluetooth verification during cross-device sign-ins, ensuring that users must be physically near the system during login.
“Attackers are relentless in targeting identity and session management,” Expel said. “This tactic proves that even the best defenses can be skirted with enough social engineering and creativity.”
Despite these developments, Expel said FIDO keys are still a strong form of authentication, as long as organizations audit usage regularly and understand potential blind spots as attackers continue to hone their techniques.