A novel Device Code phishing technique automates the authentication process, allowing attackers to bypass FIDO's phishing resistance by redirecting victims to a legitimate authentication page without needing them to manually enter codes. Despite Microsoft's fixes for normal Entra tenants, vulnerabilities remain for federated tenants. The article emphasizes the dangers of this attack model, which can exploit users’ trust in established authentication methods.

A new downgrade attack against Microsoft Entra ID has been developed, which tricks users into using weaker authentication methods, making them vulnerable to phishing and session hijacking. By spoofing a browser that lacks FIDO support, attackers can bypass FIDO authentication and intercept user credentials and session cookies. Although no real-world attacks using this method have been reported yet, the risk remains significant, particularly in targeted scenarios.