Cybercriminals Exploit Active Directory Federation Services and Office.com to Hijack Microsoft 365 Credentials

ByAdmin

A novel and highly sophisticated phishing campaign is currently targeting Microsoft 365 credentials by exploiting Microsoft’s own Active Directory Federation Services (ADFS). Researchers at the cybersecurity firm Push Security have identified this technique as a significant evolution in phishing attacks, effectively bypassing user vigilance and traditional security filters. Instead of relying on suspicious emails, attackers are utilising malvertising by placing malicious ads on search engines. When users search for “Office 365,” they may click on what appears to be a legitimate ad that directs them to a genuine outlook.office.com URL. However, this URL is specially crafted to trigger an exploit, redirecting users to a pixel-perfect replica of the Microsoft login page. This manipulation leverages ADFS, a feature that facilitates single sign-on (SSO) by connecting an organisation’s local directory with cloud services, allowing attackers to redirect authentication requests to a phishing domain they control.

Dubbed “ADFSjacking,” this attack is particularly potent because the initial redirect originates from a trusted Microsoft source, making it nearly undetectable by URL-based security tools and cautious users. The investigation revealed a multi-stage redirect chain designed for evasion, where the user’s browser is invisibly passed through an intermediary domain before landing on the final phishing site. This intermediary step is intended to deceive automated domain categorisation tools, which may classify the link as harmless. Once on the fake login page, which functions as an Attacker-in-the-Middle (AitM) proxy, any credentials entered are immediately captured. This method also allows attackers to steal session cookies, enabling them to bypass multi-factor authentication (MFA) protections and gain full access to the victim’s account. Security experts recommend that organisations monitor their network logs for unusual ADFS redirects, particularly those leading to unfamiliar domains, to mitigate this emerging threat. 

Categories: Phishing Techniques, Cybersecurity Threats, Malvertising Strategies 

Tags: Phishing, Microsoft 365, ADFS, Malvertising, Redirect, Credentials, Exploit, Authentication, Security, Multi-Factor Authentication 

Leave a Reply

Your email address will not be published. Required fields are marked *