Beware FIDO-Downgrade Attacks Bypassing Phishing Defenses

Proof-of-Concept Attack Demonstrates FIDO Downgrade Against Microsoft Entra ID Mathew J. Schwartz (euroinfosec) • August 14, 2025

A bulwark against credential-stealing phishing attacks has an implementation chink that's poised for commoditization by cybercriminals, say security researchers in news that's good for phishing-as-a-service providers but terrible for everyone else.

See Also: What Manufacturing Leaders Are Learning About Cloud Security - from Google’s Frontline

The digital underground has long offered phishing kits to low-level cybercrooks who prefer easy ways to manipulate victims into giving up logon credentials. PhaaS toolkits are available for a one-time fee or by subscription. In the first half of this year, about 60% to 70% of all phishing attacks originated from the toolkits, with many offering one-click attack setup and easy automation, and regular improvements to make them more effective.

Expect those toolkits to soon also offer the ability to sidestep FIDO - for ...