Sessions within Entra ID are vulnerable to hijacking if FIDO authentication is disabled. Malicious actors can execute a FIDO downgrade attack after users access a phishing link. This involves using a phishlet in the Evilginx framework to create counterfeit Microsoft Entra ID forms and spoof unsupported browser user agents. Users are forced into weaker verification methods, allowing attackers to intercept account details and session cookies, ultimately gaining unauthorized access. While this technique has yet to be used in actual attacks, it poses risks for targeted individuals or organizations.
The attackers modify the browser identification to disable FIDO authentication, prompting users to select alternative verification methods, thus enabling account takeover.
The attack requires emulating a browser without FIDO support, compelling users to switch to less secure authentication methods like SMS codes.
Collection
[
|
...
]