A new phishing campaign is exploiting Microsoft’s legacy ADFS identity solution to steal credentials and bypass MFA
Threat actors are launching a barrage of account takeover attacks on the global education sector


Hackers are targeting organizations around the world that rely on Microsoft’s Active Directory Federation Services (ADFS) secure access system in an ongoing phishing campaign, according to new research.
Analysis from Abnormal Security describes how Microsoft’s ADFS, a legacy single-sign-on (SSO) solution that allows employees to use one set of credentials to authenticate across multiple applications and environments, is being mimicked by hackers to gain access to corporate networks.
The attackers use spoofed ADFS sign-in pages to trick victims into entering these credentials, as well as any second-factor authentication details used in for additional protection, such as one-time pass codes (OTPs).
Abnormal stated that the campaign’s success has been driven by the attackers’ use of highly convincing phishing techniques including making their phishing emails appear as if they were sent from trusted entities.
For example, the attack tends to begin with an email designed to appear as a notification from the organization’s IT helpdesk, informing the recipient of an urgent update they need to initiate using a link provided in the message.
The URLs included in the emails were also obfuscated, mimicking the familiar link structure of legitimate ADFS links, helping them pass some link verification checks and not raise the victim’s suspicion.
The fake login pages were also specifically crafted to be identical to the official portal used by the victim’s organization.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
Abnormal added that these pages dynamically pull the respective organization’s logo from its legitimate website and incorporate specific branding elements such as relevant colors and imagery.
According to the organization’s MFA protocol, the phishing template includes forms designed to steal the specific second factor required to authenticate the victim’s account, including Microsoft Authenticator, Duo Security, and SMS verification.
Finally, targets are sent a message telling them they might need to approve a push notification or answer an automated call, which redirects the target to an official sign-in page further reducing their suspicion and completing the account takeover.
Education sector heavily targeted due to reliance on legacy tech
Abnormal observed a range of post-compromise activities, many of which are associated with financially-motivated attacks, including mail filter creation, lateral phishing, and further reconnaissance.
The mail filters were often named ‘recommended’ or based on the target’s name to avoid detection, and used obfuscated keywords such as ‘hish’ instead of ‘phish’ or ‘elpdes’ instead of ‘help desk’.
“By using non-obvious terms, the threat actors reduced the likelihood of security solutions or analysts identifying the filters as malicious," Abnormal explained.
"These tailored techniques ensured that any responses to lateral phishing emails were intercepted and deleted, preventing the mailbox owner from noticing malicious activity or incoming replies."
The report noted the campaign was used to target over 150 organizations in the US, Canada, Australia, and Europe. The targets occupied a range of industries but the campaign disproportionately attacked those in the education sector such as schools and universities, who received over 50% of the total number of attacks.
Abnormal said Microsoft advises that organizations transition to its modern identity platform, Entra, speculating that attackers are exploiting the fact that many organizations still rely on its legacy ADFS system.
“This reliance is particularly prevalent in sectors with slower technology adoption cycles or legacy infrastructure dependencies—making them prime targets for credential harvesting and account takeovers,” the report suggested.
It added that educational organizations often exhibit less mature cybersecurity defenses, and feature environments with high user volumes, legacy technology, and fewer security personnel due to budget constraints, making them ideal targets.
RELATED WHITEPAPER
Abnormal’s findings highlight that even more advanced security layers such as MFA can be bypassed using sophisticated social engineering. The firm emphasized this demonstrates that they adopt a multi-layered approach to cyber defense.
This would include robust defenses such as advanced email filtering and behavior monitoring, boosting user awareness of potential threat tactics, and transitioning to modern platforms and instead of relying on legacy systems for critical functions like secure access.

Solomon Klappholz is a former staff writer for ITPro and ChannelPro. He has experience writing about the technologies that facilitate industrial manufacturing, which led to him developing a particular interest in cybersecurity, IT regulation, industrial infrastructure applications, and machine learning.
-
M&S suspends online sales as 'cyber incident' continues
News Marks & Spencer (M&S) has informed customers that all online and app sales have been suspended as the high street retailer battles a ‘cyber incident’.
By Ross Kelly
-
Manners cost nothing, unless you’re using ChatGPT
Opinion Polite users are costing OpenAI millions of dollars each year – but Ps and Qs are a small dent in what ChatGPT could cost the planet
By Ross Kelly
-
Healthcare organizations are turning a blind eye to phishing attacks
News A survey reveals that most attacks go unreported, putting patient data at risk
By Emma Woollacott
-
‘Phishing kits are a force multiplier': Cheap cyber crime kits can be bought on the dark web for less than $25 – and experts warn it’s lowering the barrier of entry for amateur hackers
News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
By Emma Woollacott
-
Have I Been Pwned owner Troy Hunt’s mailing list compromised in phishing attack
Troy Hunt, the security blogger behind data-breach site Have I Been Pwned, has fallen victim to a phishing attack targeting his email subscriber list.
By Jane McCallion
-
Security experts warn of ‘contradictory confidence’ over critical infrastructure threats
News Almost all critical national infrastructure (CNI) organizations in the UK (95%) experienced a data breach in the last year, according to new research.
By Emma Woollacott
-
Healthcare organizations need to shake up email security practices
News Microsoft 365 is the source of almost half of all healthcare email breaches, thanks mainly to misconfigurations in security settings.
By Emma Woollacott
-
So long, Defender VPN: Microsoft is scrapping the free-to-use privacy tool over low uptake
News Defender VPN, Microsoft's free virtual private network, is set for the scrapheap, so you might want to think about alternative services.
By Nicole Kobie
-
Google is dropping SMS authentication for QR codes
News Google appears finally ready to deprecate using SMS codes for multi-factor authentication (MFA) for Gmail according to insiders at the search giant.
By Solomon Klappholz
-
Hackers are on a huge Microsoft 365 password spraying spree – here’s what you need to know
News A botnet made up of 130,000 compromised devices has been conducting a huge password spraying campaign targeting Microsoft 365 accounts.
By Solomon Klappholz