Hackers are targeting organizations around the world that rely on Microsoft’s Active Directory Federation Services (ADFS) secure access system in an ongoing phishing campaign, according to new research.
Analysis from Abnormal Security describes how Microsoft’s ADFS, a legacy single-sign-on (SSO) solution that allows employees to use one set of credentials to authenticate across multiple applications and environments, is being mimicked by hackers to gain access to corporate networks.
The attackers use spoofed ADFS sign-in pages to trick victims into entering these credentials, as well as any second-factor authentication details used in for additional protection, such as one-time pass codes (OTPs).
Abnormal stated that the campaign’s success has been driven by the attackers’ use of highly convincing phishing techniques including making their phishing emails appear as if they were sent from trusted entities.
For example, the attack tends to begin with an email designed to appear as a notification from the organization’s IT helpdesk, informing the recipient of an urgent update they need to initiate using a link provided in the message.
The URLs included in the emails were also obfuscated, mimicking the familiar link structure of legitimate ADFS links, helping them pass some link verification checks and not raise the victim’s suspicion.
The fake login pages were also specifically crafted to be identical to the official portal used by the victim’s organization.
Abnormal added that these pages dynamically pull the respective organization’s logo from its legitimate website and incorporate specific branding elements such as relevant colors and imagery.
According to the organization’s MFA protocol, the phishing template includes forms designed to steal the specific second factor required to authenticate the victim’s account, including Microsoft Authenticator, Duo Security, and SMS verification.
Finally, targets are sent a message telling them they might need to approve a push notification or answer an automated call, which redirects the target to an official sign-in page further reducing their suspicion and completing the account takeover.
Education sector heavily targeted due to reliance on legacy tech
Abnormal observed a range of post-compromise activities, many of which are associated with financially-motivated attacks, including mail filter creation, lateral phishing, and further reconnaissance.
The mail filters were often named ‘recommended’ or based on the target’s name to avoid detection, and used obfuscated keywords such as ‘hish’ instead of ‘phish’ or ‘elpdes’ instead of ‘help desk’.
“By using non-obvious terms, the threat actors reduced the likelihood of security solutions or analysts identifying the filters as malicious," Abnormal explained.
"These tailored techniques ensured that any responses to lateral phishing emails were intercepted and deleted, preventing the mailbox owner from noticing malicious activity or incoming replies."
The report noted the campaign was used to target over 150 organizations in the US, Canada, Australia, and Europe. The targets occupied a range of industries but the campaign disproportionately attacked those in the education sector such as schools and universities, who received over 50% of the total number of attacks.
Abnormal said Microsoft advises that organizations transition to its modern identity platform, Entra, speculating that attackers are exploiting the fact that many organizations still rely on its legacy ADFS system.
“This reliance is particularly prevalent in sectors with slower technology adoption cycles or legacy infrastructure dependencies—making them prime targets for credential harvesting and account takeovers,” the report suggested.
It added that educational organizations often exhibit less mature cybersecurity defenses, and feature environments with high user volumes, legacy technology, and fewer security personnel due to budget constraints, making them ideal targets.
RELATED WHITEPAPER
Abnormal’s findings highlight that even more advanced security layers such as MFA can be bypassed using sophisticated social engineering. The firm emphasized this demonstrates that they adopt a multi-layered approach to cyber defense.
This would include robust defenses such as advanced email filtering and behavior monitoring, boosting user awareness of potential threat tactics, and transitioning to modern platforms and instead of relying on legacy systems for critical functions like secure access.
-
Canon names Guido Jacobs as new managing director for UK&INews Canon UK & Ireland has officially announced the appointment of brand veteran Guido Jacobs as its new managing director, having assumed the role from April 1.
-
Dell PowerEdge R570 reviewReviews With its impressive Xeon 6-core count and big storage features, the PowerEdge R570 is a cost-effective and energy-efficient alternative to expensive 2P rack servers
-
Have I Been Pwned owner Troy Hunt’s mailing list compromised in phishing attackTroy Hunt, the security blogger behind data-breach site Have I Been Pwned, has fallen victim to a phishing attack targeting his email subscriber list.
-
Security experts warn of ‘contradictory confidence’ over critical infrastructure threatsNews Almost all critical national infrastructure (CNI) organizations in the UK (95%) experienced a data breach in the last year, according to new research.
-
Healthcare organizations need to shake up email security practicesNews Microsoft 365 is the source of almost half of all healthcare email breaches, thanks mainly to misconfigurations in security settings.
-
So long, Defender VPN: Microsoft is scrapping the free-to-use privacy tool over low uptakeNews Defender VPN, Microsoft's free virtual private network, is set for the scrapheap, so you might want to think about alternative services.
-
Google is dropping SMS authentication for QR codesNews Google appears finally ready to deprecate using SMS codes for multi-factor authentication (MFA) for Gmail according to insiders at the search giant.
-
Hackers are on a huge Microsoft 365 password spraying spree – here’s what you need to knowNews A botnet made up of 130,000 compromised devices has been conducting a huge password spraying campaign targeting Microsoft 365 accounts.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Microsoft is increasing payouts for its Copilot bug bounty programNews Microsoft has expanded the bug bounty program for its Copilot lineup, boosting payouts and adding coverage of WhatsApp and Telegram tools.
