Cybercriminals are actively exploiting Microsoft’s Active Directory Federation Services (ADFS) in a sophisticated phishing attack designed to steal login credentials and bypass multi-factor authentication (MFA).
Security researchers have warned that this campaign has already targeted over 150 organizations, primarily in the education, healthcare, and government sectors.
How the Phishing Attack Works
The attack begins with a phishing email that appears to come from the target organization’s IT department. The email falsely claims that a system upgrade requires users to re-authenticate their accounts.
It includes a link that directs victims to a fraudulent ADFS login page, which is designed to look identical to the real one.
Once users enter their credentials, the phishing site captures them in real time. Attackers also collect MFA codes by prompting victims to complete the authentication process as they normally would.
The phishing templates used in this campaign are specifically designed to steal different types of MFA codes, including those generated by Microsoft Authenticator, Duo Security, and SMS-based verification.
After stealing the credentials and MFA codes, attackers quickly use them to log into the victim’s real account. Meanwhile, the phishing site redirects users to the legitimate Microsoft sign-in page to avoid raising suspicion.
Once inside, the attackers can steal sensitive information, modify email settings, and move laterally within the organization’s network.
What Is Microsoft ADFS and Why Is It Targeted?
Microsoft Active Directory Federation Services (ADFS) is a single sign-on (SSO) technology that allows users to log into multiple applications with one set of credentials.
It extends Active Directory authentication across different organizations, cloud services, and applications, making it a valuable target for cybercriminals.
By compromising ADFS, attackers can gain access to not just one application, but an entire network of connected services. This allows them to extract confidential data, take over email accounts, and potentially deploy ransomware or other malicious activities.
Who Is Being Targeted?
Security researchers have identified that this phishing campaign is primarily aimed at industries that handle large amounts of sensitive data, including:
- Education – Universities and schools that store student and faculty records.
- Healthcare – Hospitals and medical institutions with patient information.
- Government agencies – Organizations dealing with confidential state and public sector data.
Unlike espionage-motivated attacks, this campaign appears to be financially driven. Attackers may be looking to sell stolen credentials on the dark web, commit fraud, or gain unauthorized access to financial systems.
How to Protect Against This Attack
Organizations and individuals can take several steps to defend against this phishing campaign and similar cyber threats:
1. Educate Employees About Phishing
Training staff to recognize phishing emails is crucial. Users should be skeptical of unexpected emails requesting re-authentication, especially if they contain urgent language or suspicious links.
2. Use Phishing-Resistant MFA
Traditional MFA codes sent via SMS or authentication apps can be intercepted. Instead, organizations should consider phishing-resistant methods such as security keys or certificate-based authentication.
3. Deploy Advanced Threat Detection
Organizations should implement email security solutions that detect and block phishing attempts before they reach users. AI-driven security tools can identify unusual login behaviors and flag suspicious activity.
4. Harden ADFS Security
IT teams should ensure that ADFS is properly configured to prevent brute force attacks and unauthorized access. This includes enabling logging, setting up alerts for unusual login attempts, and enforcing strong authentication policies.
5. Keep Systems Updated
Regular updates and security patches help prevent attackers from exploiting known vulnerabilities. Organizations should ensure that all authentication services, including ADFS, are up to date.
A Growing Threat to Organizations
This phishing campaign is a reminder that cybercriminals are constantly evolving their tactics to bypass security measures. With more companies relying on cloud-based authentication and SSO solutions, attackers are finding new ways to exploit these systems.
Organizations must remain vigilant, educate their employees, and implement strong cybersecurity measures to defend against phishing attacks that aim to steal credentials and bypass MFA protections.
