HomeCII/OTHackers Target Education Sector, Take Over Microsoft Accounts

Hackers Target Education Sector, Take Over Microsoft Accounts

Published on

spot_img

A recent phishing campaign has been discovered by researchers from Abnormal Security, which is exploiting Microsoft Active Directory Federation Services (ADFS) to bypass multifactor authentication (MFA) and take over user accounts. This campaign targets approximately 150 organizations, primarily in the education sector, that rely on ADFS for authentication across multiple on-premises and cloud-based systems.

The attackers behind this campaign use spoofed emails to direct individuals to fake Microsoft ADFS log-in pages personalized for the target’s specific MFA setup. Once victims enter their credentials and an MFA code, the threat actors are able to hijack the accounts and pivot to other services through the SSO function. They have been observed carrying out various post-compromise activities, including reconnaissance, creating mail filter rules to intercept communications, and engaging in lateral phishing campaigns targeting other users within the organization.

Jim Routh, chief trust officer at security firm Saviynt, notes that targeting the legacy SSO capability in ADFS can yield significant gains for attackers. This feature, originally designed for use behind a firewall, is now more exposed as it is increasingly being utilized across cloud-based services, despite not being designed for that purpose.

Roger Grimes, data-driven defense evangelist at security firm KnowBe4, mentioned that the use of fake ADFS login pages in this campaign is an unprecedented tactic that he has not encountered before.

The campaign employs a common phishing ruse where targets receive emails masquerading as notifications from their organization’s IT help desk, urging them to take urgent action by clicking on a link provided in the message. Despite the sophistication of these emails, which include spoofed sender addresses and fraudulent login pages, the goal remains the same: to trick users into divulging their credentials and second-factor authentication details.

While organizations in various industries are targeted by this campaign, educational institutions face the highest volume of attacks, comprising over 50% of the total. This preference for targeting environments with high user volumes, legacy systems, and less mature cybersecurity defenses is also evident in attacks against sectors such as healthcare, government, technology, transportation, automotive, and manufacturing.

Although Microsoft and Abnormal Security advise organizations to transition to the modern identity platform Entra for authentication, many entities continue to rely on ADFS, leaving them vulnerable to credential harvesting and account takeovers. Sectors with slow technology adoption cycles or legacy infrastructure dependencies are particularly at risk of falling prey to these types of attacks.

Despite the continued use of ADFS, organizations can take steps to enhance their security posture. Implementing phishing-resistant MFA for all users is a recommended measure, alongside user education on modern phishing techniques and the deployment of advanced email filtering, anomaly detection, and behavior monitoring technologies to detect and mitigate phishing attacks and identify compromised accounts early on.

Source link

Latest articles

Hackers infiltrate Microsoft IIS services through Cityworks RCE vulnerability

Hackers have successfully exploited a critical vulnerability in Cityworks deployments, a software used for...

Information about Home Office Apple iCloud access and FBI message scam alert

The UK Home Office, a government body overseeing key functions such as immigration, national...

Top 5 NIS2 Compliance Software and Solution Providers from heimdalsecurity.com

The Network and Information Systems Directive 2 (NIS2) has been officially implemented by the...

Challenges of balancing AI personalization and voter privacy in political campaigns

Researcher Mateusz Łabuz, from the IFSH, recently shared insights in a Help Net Security...

More like this

Hackers infiltrate Microsoft IIS services through Cityworks RCE vulnerability

Hackers have successfully exploited a critical vulnerability in Cityworks deployments, a software used for...

Information about Home Office Apple iCloud access and FBI message scam alert

The UK Home Office, a government body overseeing key functions such as immigration, national...

Top 5 NIS2 Compliance Software and Solution Providers from heimdalsecurity.com

The Network and Information Systems Directive 2 (NIS2) has been officially implemented by the...