Seed of Deceit: PoisonSeed Tricks Users Out of FIDO2, Redirects Microsoft, Google and Okta Logins to Phishing Pages

• PoisonSeed phishing kit: It replaces secure login options with weaker alternatives like passwords or SMS
• Target: Microsoft 365, Google Workspace, and Okta login pages are being duplicated for login data
• FIDO2 remains secure: Attackers are manipulating login flows to bypass its protection

Researchers have found a credential harvesting kit, PoisonSeed, that attackers are using to redirect those who try to log in with FIDO2. Those attempting to log in securely using FIDO2 are being rerouted to phishing pages that mirror official login pages.

The likely targets of this attack are Microsoft 365 users, along with those on Google Workspace and Okta. This points to the possibility that attackers are seeking sensitive enterprise data or planning future spearphishing campaigns using stolen credentials.

An Expel report detailed that its Security Operations Center (SOC) team found a social engineering attack targeting Fast IDentity Online (FIDO) authentication methods. 

The attack unfolded when an Expel customer was targeted through a phishing email campaign. Several employees of the customer organization received messages that lured them to a fake login page hosted at okta[.]login-request[.]com.

What is FIDO2 and the Exploit Chain Explained

FIDO2, used to access sensitive accounts like email, cloud platforms, or enterprise dashboards without passwords, offers security options like FIDO security keys, biometrics, or built-in device authenticators.

When users try to authenticate using FIDO2, PoisonSeed hides its options and redirects the login flow toward phishing login pages impersonating Microsoft, Google, or Okta.

This allows attackers to steal user credentials when they expect phishing-resistant protection from the portal designed to eliminate cyber threats. The phishing site also removes the FIDO option and presents weaker alternatives like passwords or SMS codes, methods that attackers can use to capture data. This makes even secure accounts vulnerable again.

Addressing the tactic, Jason Soroko, Senior Fellow at Sectigo, said, "Credentials were captured with a fake Okta page... This maneuver gave the adversary an active session while the key stayed safe in the victim’s pocket..." highlighting how social engineering, not technical flaws, can still compromise even secure login systems.

The convenience features around them can be turned against you, he said, and recommended disabling cross-device sign-in where possible. He advised enforcing Bluetooth proximity checks, monitoring for suspicious key registrations or login locations, and “treating any QR prompt after a password entry as a probable trap.”

Threats posed by the PoisonSeed Phishing Engine

Besides posing as a fake login page, this phishing kit modifies the authentication process to trick users into multiple deceptive tactics. 

Other capabilities of the PoisonSeed phishing toolkit:

• Hides the FIDO2/WebAuthn prompt from the phishing flow
• Captures usernames and passwords submitted through the fake interface
• Pre-fills email fields using data from earlier user input and previously obtained credentials to make the phishing page appear more authentic
• Captures session cookies to hijack active logins and bypass the need for credentials altogether
• Mimics the branding and URL structure of services like Microsoft and Okta, putting enterprise users at direct risk of credential theft
• Can be reused across multiple phishing campaigns due to its modular design

Deceptive Login Tool to Reuse on Other Platforms

Threat actors have designed PoisonSeed as a modular phishing kit. Instead of building a new phishing page for every attack, they reuse the same engine and just plug in different login designs or flows. It’s built in a way that lets attackers easily customize and reuse it for different targets, like switching between Microsoft, Google, or Okta logins.

This points to a critical concern for developers, who will need to restrict or disable fallback authentication methods that weaken the FIDO2 login mechanism. 

Also, users of FIDO2 will need to check for expected FIDO prompts and avoid proceeding with login if only weaker options like passwords or SMS codes appear. If FIDO is missing from a login they regularly use, it could be a sign they’re on a phishing page.

J. Stephen Kowski, Field CTO at SlashNext, warned that this marks a shift in attacker strategy, adding, “This isn’t a one-off situation — it’s a real evolution in how attackers are thinking about bypassing strong authentication methods.”

PoisonSeed exploits legitimate cross-device features designed to make FIDO more user-friendly. “It turns a security feature into a potential weakness through social engineering,” Kowski added.

He also advised organizations to implement safeguards like Bluetooth proximity checks during cross-device authentication and ensure phishing detection tools are in place.

FIDO2 Unbreached

PoisonSeed doesn’t break FIDO2 itself. Researchers have confirmed that PoisonSeed does not exploit a flaw in the protocol. Instead, the tool avoids triggering the secure login process and pushes users toward weaker methods. 

Trey Ford, Chief Information Security Officer at Bugcrowd, acknowledged the value FIDO has brought to modern authentication. “FIDO has done so much for increasing the efficiency and effectiveness of security,” he said.

Calling on security professionals to step up against the challenges posed by PoisonSeed, Ford urged breaking common assumptions about secure login flows, saying, “This is a fun attack — and one we all need to instrument for.”

Echoing the need for a stronger defense posture, Darren Guccione, CEO and Co-Founder at Keeper Security, emphasized that FIDO’s hardware-backed protection remains a cornerstone of secure authentication. He stressed that while a strong MFA is essential, it's not enough on its own.

It must be part of a broader strategy involving identity controls, privileged access, and user training.

PoisonSeed is part of a broader trend in credential theft similar to recent multi-country breaches like the one reportedly affecting McDonald’s user accounts.