Warning: Hackers Are Stealing Microsoft 365 Logins Using a Clever ADFS Phishing Tactic
A sophisticated phishing campaign is actively targeting users of Microsoft 365, exploiting a legitimate feature in corporate networks to steal login credentials. This method is particularly dangerous because it uses trusted, authentic domains to deceive even security-savvy individuals, bypassing many traditional email security filters.
The attack centers on abusing Active Directory Federation Services (ADFS), a single sign-on (SSO) solution used by many organizations to allow employees to access various applications, including Microsoft 365, with a single set of credentials. By manipulating how ADFS handles web redirects, attackers are successfully luring victims to fake login pages to harvest their usernames and passwords.
How the ADFS Redirect Attack Works
Understanding this attack is the first step toward defending against it. The process is deceptive because it begins on a legitimate server before redirecting to a malicious one.
The Bait: The attack starts with a phishing email. This email might contain an urgent request, a notification about a shared document, or a voicemail alert. The link within the email appears safe because it points to a company’s own, legitimate ADFS login portal (e.g.,
adfs.companyname.com).The Legitimate Redirect: When a user clicks the link, they are taken to the real ADFS server. However, the link has been specially crafted by the attacker to include a redirect parameter. The ADFS server, if not properly configured, processes this request and then automatically forwards the user to an external website controlled by the hacker.
The Fake Login Page: This new page is a pixel-perfect replica of the standard Microsoft 365 or Outlook login screen. Because the transition happens almost instantly, most users will not notice that the URL in their browser’s address bar has changed to a malicious domain.
Credential Theft: Believing they are on a legitimate sign-in page, the user enters their email address and password. This information is captured directly by the attackers, giving them full access to the victim’s account, including emails, files, and connected corporate systems.
Why This Phishing Method is So Effective
This attack vector poses a significant threat for several key reasons:
- Bypasses Security Scanners: Because the initial link in the phishing email points to a trusted and reputable ADFS domain, many automated email security gateways will not flag it as malicious.
- Exploits User Trust: Users are trained to look for familiar domain names to verify a link’s safety. Seeing their own company’s ADFS domain builds a false sense of security, making them far more likely to click.
- The Redirect is Subtle: The open redirect happens quickly and seamlessly, making it very difficult for the average person to detect the switch to a fraudulent website before it’s too late.
How to Protect Your Organization from ADFS Phishing
Defending against this threat requires a multi-layered approach that combines technical controls with user education. Organizations that rely on ADFS for single sign-on should take immediate steps to mitigate this risk.
Harden Your ADFS Configuration: The primary vulnerability lies in a misconfigured ADFS server that allows open redirects. IT administrators should review their ADFS settings immediately and ensure that all URL redirects are restricted to known, trusted domains only. This technical fix can shut down the primary avenue for this attack.
Enforce Multi-Factor Authentication (MFA): MFA is the single most effective defense against credential theft. Even if an attacker successfully steals a user’s password, they will be unable to access the account without the second authentication factor (e.g., a code from an app, a text message, or a biometric scan).
Enhance Employee Security Training: Educate users about the specifics of this threat. Teach them to always be suspicious of unexpected login requests, even if the initial link looks legitimate. Train them to double-check the final URL in the address bar before entering their credentials to ensure it is an official Microsoft domain.
Deploy Advanced Endpoint and Email Protection: Utilize security solutions that can analyze the behavior of links and detect malicious redirects after the click. Modern threat protection goes beyond checking the initial domain’s reputation and can identify the final destination of a link, blocking access to known phishing sites.
As attackers continue to refine their methods, organizations must remain vigilant. By securing technical infrastructure like ADFS and empowering users with the knowledge to spot sophisticated phishing attempts, you can significantly strengthen your defenses against credential theft and protect your sensitive data.
Source: https://www.bleepingcomputer.com/news/security/hackers-steal-microsoft-logins-using-legitimate-adfs-redirects/
