Fake Chrome FedCM (Federated Credential Management) RP context deception lure — "use new fast sign-in via FedCM IdentityCredential" / "switch IdP via navigator.credentials.get within 24 hours" with attacker IdP. Sender NOT on the canonical IdP / Chrome-team allowlist (okta.com, auth0.com, microsoft.com, microsoftonline.com, azure.com, login.microsoftonline.com, google.com, accounts.google.com, workspace.google.com, amazon.com, amazonaws.com, awsapps.com, onelogin.com, pingidentity.com, forgerock.com, jumpcloud.com, duo.com, cisco.com, idaptive.com, cyberark.com, sailpoint.com, oneidentity.com, w3.org, chromium.org). Real FedCM IdP configuration is server-to-server through the IdP's `.well-known/web-identity` endpoint; user-facing "switch IdP via FedCM" emails do not exist as a legitimate flow. Distinct from R7 PAR / device-code / passkey-reenroll auth-protocol-param family — this signal is specifically the *FedCM IdentityCredential* W3C primitive (W3C FedCM 2024+, Chrome 120+). Source: Red-Team R8 multi-agent council S3 (technical-AiTM specialist), Lead consensus C2 extension.

Fake Chrome FedCM (Federated Credential Management) RP context deception lure targeting enterprise SSO-integrated app users + Chrome 120+ users. The phish narrative arrives as: "Try the new fast sign-in via Chrome FedCM and the IdentityCredential browser API. Click below to invoke navigator.credentials.get with the new IdP within 24 hours, or your sign-in flow will revert to the slow flow. Action required," or "Per the new W3C Federated Credential Management (FedCM) standard, switch your relying-party IdP via the IdentityCredential browser primitive. Click below to authorize the new identity provider within 48 hours, or your sign-in will be locked." Once the user invokes `navigator.credentials.get({ identity: { providers: [{ configURL: <attacker IdP> }] } })` via the FedCM primitive, the browser presents a native account-chooser UI that the user reads as cryptographic-grade authentication when in fact it is a regular web flow with attacker-controlled IdP origin. The attacker IdP issues an ID token, which the relying-party (mistakenly) trusts. Real FedCM IdP configuration is server-to-server through the IdP's `.well-known/web-identity` endpoint with `configURL` registered against the relying-party origin in the IdP's identity-provider list — user-facing "switch IdP via FedCM" emails do not exist as a legitimate flow because the user is not the actor in the FedCM IdP-registration ceremony. Sender NOT on the canonical IdP / Chrome-team allowlist (okta.com, auth0.com, microsoft.com, microsoftonline.com, azure.com, login.microsoftonline.com, google.com, accounts.google.com, workspace.google.com, amazon.com, amazonaws.com, awsapps.com, onelogin.com, pingidentity.com, forgerock.com, jumpcloud.com, duo.com, cisco.com, idaptive.com, cyberark.com, sailpoint.com, oneidentity.com, w3.org, chromium.org). Distinct from R7 PAR / device-code / passkey-reenroll auth-protocol-param family — this signal is specifically the *FedCM IdentityCredential* W3C primitive (W3C FedCM 2024+, Chrome 120+). Lead consensus C2 extension (Red-Team R8 multi-agent council): same shape as the auth-protocol-param family — extend canonical-IdP allowlist to FedCM endpoints. Fires when body references FedCM / fed-CM / federated credential management / IdentityCredential / <IdentityCredential> / navigator.credentials.get / "navigator credentials get" AND "use new fast sign-in" / "switch your IdP/identity provider/sign-in" / "authorize the new IdP/identity provider" / "invoke navigator.credentials.get/FedCM/IdentityCredential" / "click below/here to authorize/invoke/switch" AND relying-party / RP / IdP / identity provider / sign-in / SSO / federated sign-in / browser (api/primitive) / W3C AND within N hours-days / 24-48 hours / action required / "sign-in will be lock/locked/revert" / fast-track / "new W3C" urgency. Excludes the canonical IdP / Chrome-team domains. Auto-classified as danger via the `-lure` suffix. Source: Red-Team R8 multi-agent council S3 (technical-AiTM specialist), Lead consensus C2 extension.