Introduction
A sophisticated phishing campaign has been identified, targeting organizations using Microsoft’s legacy Active Directory Federation Services (ADFS) [1] [2] [3] [4]. This campaign exploits vulnerabilities in single sign on (SSO) solutions to deceive users and gain unauthorized access to sensitive information.
Description
A sophisticated phishing campaign has been identified that targets organizations utilizing Microsoft’s legacy Active Directory Federation Services (ADFS) [1], a single sign on (SSO) solution [1]. Cybercriminals create highly convincing spoofed ADFS sign in pages that closely replicate the legitimate login portals of the targeted organizations [1], dynamically incorporating their logos and branding elements to deceive users into providing their credentials and second factor authentication details, such as one time passcodes (OTPs) [2]. The phishing emails are crafted to appear as urgent notifications from the organization’s IT helpdesk [2], featuring obfuscated URLs that resemble legitimate ADFS links [2], thereby evading suspicion [2]. This campaign has notably affected over 150 organizations [3], particularly in the education sector [3], which is more vulnerable due to outdated technology and limited cybersecurity resources [3].
In addition to harvesting user credentials, this campaign aims to bypass multi factor authentication (MFA), enabling attackers to take over accounts and gain unauthorized access to critical systems and sensitive data [4]. The phishing scheme includes forms designed to capture specific second factor authentication methods [2], including Microsoft Authenticator [2] [4], Duo Security [2], and SMS verification [2]. Victims may receive messages prompting them to approve a push notification or answer an automated call [2], which further directs them to an official sign in page [2], facilitating account takeover [2].
While the use of fake ADFS login pages represents a new development [4], ADFS has previously been exploited to circumvent MFA. Experts emphasize the importance of implementing phishing resistant MFA solutions, as many popular options [4], including Microsoft Authenticator [2] [4], Google Authenticator [4], Duo [2] [4], push based MFA [4], one time passwords (OTP) [2], and SMS based MFA [4], remain vulnerable to phishing attacks [4]. Microsoft recommends transitioning to its modern identity platform [3], Entra [3], to enhance security and mitigate these risks.
Conclusion
The impact of this phishing campaign is significant, particularly for sectors like education that are more susceptible due to outdated technology and limited cybersecurity resources. To mitigate these risks, organizations are advised to adopt phishing resistant multi factor authentication solutions and consider transitioning to more secure identity platforms, such as Microsoft’s Entra. As cyber threats continue to evolve, staying informed and proactive in implementing robust security measures is crucial to safeguarding sensitive information and maintaining system integrity.
References
[1] https://www.infosecurity-magazine.com/news/phishing-attack-bypasses-microsoft/
[2] https://www.itpro.com/security/cyber-crime/afds-phishing-campaign-microsoft
[3] https://www.newsminimalist.com/articles/hackers-exploit-microsoft-adfs-in-phishing-campaign-targeting-global-organizations-b6cf8147
[4] https://itnerd.blog/2025/02/04/phishers-exploit-microsofts-adfs-to-enable-account-takeover/
