Hackers are targeting organizations around the world that rely on Microsoft’s Active Directory Federation Services (ADFS) secure access system in an ongoing phishing campaign, according to new research.
Analysis from Abnormal Security describes how Microsoft’s ADFS, a legacy single-sign-on (SSO) solution that allows employees to use one set of credentials to authenticate across multiple applications and environments, is being mimicked by hackers to gain access to corporate networks.
The attackers use spoofed ADFS sign-in pages to trick victims into entering these credentials, as well as any second-factor authentication details used in for additional protection, such as one-time pass codes (OTPs).
Abnormal stated that the campaign’s success has been driven by the attackers’ use of highly convincing phishing techniques including making their phishing emails appear as if they were sent from trusted entities.
For example, the attack tends to begin with an email designed to appear as a notification from the organization’s IT helpdesk, informing the recipient of an urgent update they need to initiate using a link provided in the message.
The URLs included in the emails were also obfuscated, mimicking the familiar link structure of legitimate ADFS links, helping them pass some link verification checks and not raise the victim’s suspicion.
The fake login pages were also specifically crafted to be identical to the official portal used by the victim’s organization.
Abnormal added that these pages dynamically pull the respective organization’s logo from its legitimate website and incorporate specific branding elements such as relevant colors and imagery.
According to the organization’s MFA protocol, the phishing template includes forms designed to steal the specific second factor required to authenticate the victim’s account, including Microsoft Authenticator, Duo Security, and SMS verification.
Finally, targets are sent a message telling them they might need to approve a push notification or answer an automated call, which redirects the target to an official sign-in page further reducing their suspicion and completing the account takeover.
Education sector heavily targeted due to reliance on legacy tech
Abnormal observed a range of post-compromise activities, many of which are associated with financially-motivated attacks, including mail filter creation, lateral phishing, and further reconnaissance.
The mail filters were often named ‘recommended’ or based on the target’s name to avoid detection, and used obfuscated keywords such as ‘hish’ instead of ‘phish’ or ‘elpdes’ instead of ‘help desk’.
“By using non-obvious terms, the threat actors reduced the likelihood of security solutions or analysts identifying the filters as malicious," Abnormal explained.
"These tailored techniques ensured that any responses to lateral phishing emails were intercepted and deleted, preventing the mailbox owner from noticing malicious activity or incoming replies."
The report noted the campaign was used to target over 150 organizations in the US, Canada, Australia, and Europe. The targets occupied a range of industries but the campaign disproportionately attacked those in the education sector such as schools and universities, who received over 50% of the total number of attacks.
Abnormal said Microsoft advises that organizations transition to its modern identity platform, Entra, speculating that attackers are exploiting the fact that many organizations still rely on its legacy ADFS system.
“This reliance is particularly prevalent in sectors with slower technology adoption cycles or legacy infrastructure dependencies—making them prime targets for credential harvesting and account takeovers,” the report suggested.
It added that educational organizations often exhibit less mature cybersecurity defenses, and feature environments with high user volumes, legacy technology, and fewer security personnel due to budget constraints, making them ideal targets.
RELATED WHITEPAPER
Abnormal’s findings highlight that even more advanced security layers such as MFA can be bypassed using sophisticated social engineering. The firm emphasized this demonstrates that they adopt a multi-layered approach to cyber defense.
This would include robust defenses such as advanced email filtering and behavior monitoring, boosting user awareness of potential threat tactics, and transitioning to modern platforms and instead of relying on legacy systems for critical functions like secure access.
-
European financial firms are battling a huge rise in third-party breachesNews Growing vendor dependency has contributed to a marked rise in third-party breaches
-
‘We’ve got some fabulous conditions’: Salesforce UK chief exec Zahra Bahrololoumi touts the country's tech industry potentialNews The UK remains a “priority market” for Salesforce, according to its regional CEO
-
FIN6 attackers target recruiters with fraudulent resumesNews The group's phishing methods protect it from many detection tools, researchers warn
-
100,000 accounts have been hit in a HMRC scam campaign, but the tax office says it wasn't hacked – here's whyNews Organized criminals used phished data to set up dodgy HMRC accounts and demand tax rebates
-
Confused at all the threat group names? You’re not alone. CrowdStrike and Microsoft want to change thatNews CrowdStrike and Microsoft hope to "bring clarity and coordination" to the cyber industry by unifying threat group naming conventions.
-
A flaw in OneDrive’s File Picker feature could give access to hundreds of appsNews The OneDrive File Picker flaw could affect hundreds of apps, researchers warn
-
Microsoft ramps up zero trust capabilities amid agentic AI pushNews The move from Microsoft looks to bolster agent security and prevent misuse
-
Employee phishing training is working – but don’t get complacentNews Educating staff on how to avoid phishing attacks can cut the rate by 80%
-
Russian hackers tried to lure diplomats with wine tasting – sound familiar? It’s an update to a previous campaign by the notorious Midnight Blizzard groupNews The Midnight Blizzard threat group has been targeting European diplomats with malicious emails offering an invite to wine tasting events, according to Check Point.
-
This hacker group is posing as IT helpdesk workers to target enterprises – and researchers warn its social engineering techniques are exceptionally hard to spotNews The Luna Moth hacker group is ramping up attacks on firms across a range of industries with its 'callback phishing' campaign, according to security researchers.
