A sophisticated phishing campaign has been discovered targeting organizations reliant on Microsoft’s Active Directory Federation Services (ADFS).
This legacy single sign-on (SSO) solution, designed to streamline authentication across multiple applications, is being exploited by attackers to bypass multi-factor authentication (MFA) and gain unauthorized access to critical systems.
How the Attack Works
Abnormal Security stated that the attack leverages advanced social engineering and technical exploitation techniques. Cybercriminals begin by sending phishing emails that appear to originate from trusted sources, such as an organization’s IT department.
These emails often carry urgent themes—such as security updates or policy changes—and include links to fraudulent ADFS login pages.
The URLs mimic legitimate ADFS structures, using obfuscation techniques to evade link verification tools and avoid raising suspicion among users.
Once victims click the link, they are directed to a fake ADFS login portal that is nearly indistinguishable from the authentic one.
These spoofed pages dynamically incorporate branding elements like logos and color schemes from the targeted organization’s legitimate site. This added layer of authenticity increases the likelihood that users will input their credentials and MFA codes, reads the report.
After harvesting both primary credentials (username and password) and secondary authentication factors (e.g., one-time passcodes or push notifications), attackers redirect victims to the legitimate ADFS portal.
This tactic minimizes user suspicion while enabling the attackers to execute account takeovers in real-time. ADFS serves as an identity provider (IdP) that facilitates authentication across applications via trust relationships. However, its reliance on legacy protocols makes it particularly vulnerable to modern phishing tactics. For example:
Credential Harvesting: Attackers exploit ADFS’s centralized authentication model, where compromising one account can grant access across multiple systems.
MFA Bypass Techniques: By capturing second-factor authentication codes through phishing templates tailored to specific MFA setups (e.g., Microsoft Authenticator or SMS verification).
The consequences of this campaign are severe. By bypassing MFA, attackers gain full access to corporate networks, enabling them to conduct lateral phishing campaigns, exfiltrate sensitive data, and execute financially motivated attacks.
Over 150 organizations across sectors such as education, healthcare, government, and technology have already been affected. Educational institutions account for over 50% of the attacks due to their high user volumes and reliance on legacy systems.
To mitigate these risks, organizations should adopt modern security platforms that incorporate Zero Trust Architecture implement strong password policies, restrict login attempts, and use secure authentication methods.
As attackers continue to exploit vulnerabilities in legacy systems and human psychology, organizations must prioritize modernizing their security infrastructure and enhancing user awareness to protect against such sophisticated attacks.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free