FIDO2 caBLE hybrid → phone authenticator hijack
Attacker phishing site shows the legitimate FIDO2 QR. Victim scans with their phone authenticator. The link completes the WebAuthn ceremony in the attacker's browser — they're now signed in as the victim.
§ Context
Assumed environment: target RP supports FIDO2 hybrid transport (most modern WebAuthn deployments). Attacker controls a phishing page that proxies the WebAuthn handshake.
§ Steps
- 01Attacker session authenticatedInitial AccessT1078— Valid Accounts
- 02Lure victim to attacker login pageInitial AccessT1566— Phishing
- 03WebAuthn assertion sent to RP via attacker browserCredential AccessT1539— Steal Web Session Cookie
- 04Mailbox / SaaS exfilCollectionM365-EWS-EXFIL— Exchange Web Services (EWS) Exfil
- 05Set up reverse-proxy phishlet with QR displayInitial AccessPH-AITM-EVILGINX— AITM Phishing — Evilginx / Modlishka
- 06Victim scans QR with phone authenticatorCredential AccessAUTH-FIDO2-CABLE— FIDO2 caBLE / Hybrid Transport Abuse
§ References
- T1078Valid Accounts
- T1566Phishing
- T1539Steal Web Session Cookie
§ Frequently asked
- What is the "FIDO2 caBLE hybrid → phone authenticator hijack" attack path?
- Attacker phishing site shows the legitimate FIDO2 QR. Victim scans with their phone authenticator. The link completes the WebAuthn ceremony in the attacker's browser — they're now signed in as the victim. It chains 6 steps drawn from real-world offensive-security techniques.
- What starting position does this attack require?
- The first step is Attacker session authenticated (T1078) — a initial access primitive. Assumed environment: target RP supports FIDO2 hybrid transport (most modern WebAuthn deployments).
- What is the final impact of this kill-chain?
- The final step lands on Victim scans QR with phone authenticator (AUTH-FIDO2-CABLE), which falls under Credential Access. From here, an operator typically pivots into post-exploitation or maintains persistence.
- How can defenders detect or prevent this attack?
- Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.
§ Related dossiers
- Shared techniques5
AITM phishing (Evilginx) → M365 session theft → mailbox exfil
Reverse-proxy phishing kit intercepts the entire login flow including MFA. Stolen session cookie → access M365 mailbox / SharePoint without retriggering auth.
- Shared techniques4
Browser-in-the-Browser → credential theft on a trusted page
Render a fake SSO popup inside the attacker page that looks like a real OS browser window. Victim types their credentials into the attacker's DOM.
- Shared techniques3
Compromised vendor mailbox → reply-chain phishing → client compromise
Take over a vendor / partner mailbox via AITM phishing. Reply to an existing thread with a malicious link — trust transferred from the genuine prior conversation defeats most user training.
- Shared techniques3
Malicious browser extension → cookie harvest → ATO
Publish a useful-looking extension (ad-blocker / PDF reader). It quietly reads cookies + localStorage from sensitive sites and ships them to the attacker.
- Shared techniques3
Compromised CFO mailbox → invoice fraud → wire fraud
AITM phishing nets the CFO's M365 session. Attacker sets a mail rule to hide replies, edits a pending invoice's wire details, sends the modified PDF to AP from the legit mailbox.
- Shared techniques2
5G core GTP-U user-plane injection → subscriber MITM
Attacker on a transit network between mobile-core hops (or with compromised UPF). GTP-U packets are typically unfiltered between PEs; inject packets into subscriber bearers — credential capture, free-of-charge tunnels, downstream attacks.