A recent phishing campaign has been discovered by researchers from Abnormal Security, which is exploiting Microsoft Active Directory Federation Services (ADFS) to bypass multifactor authentication (MFA) and take over user accounts. This campaign targets approximately 150 organizations, primarily in the education sector, that rely on ADFS for authentication across multiple on-premises and cloud-based systems.
The attackers behind this campaign use spoofed emails to direct individuals to fake Microsoft ADFS log-in pages personalized for the target’s specific MFA setup. Once victims enter their credentials and an MFA code, the threat actors are able to hijack the accounts and pivot to other services through the SSO function. They have been observed carrying out various post-compromise activities, including reconnaissance, creating mail filter rules to intercept communications, and engaging in lateral phishing campaigns targeting other users within the organization.
Jim Routh, chief trust officer at security firm Saviynt, notes that targeting the legacy SSO capability in ADFS can yield significant gains for attackers. This feature, originally designed for use behind a firewall, is now more exposed as it is increasingly being utilized across cloud-based services, despite not being designed for that purpose.
Roger Grimes, data-driven defense evangelist at security firm KnowBe4, mentioned that the use of fake ADFS login pages in this campaign is an unprecedented tactic that he has not encountered before.
The campaign employs a common phishing ruse where targets receive emails masquerading as notifications from their organization’s IT help desk, urging them to take urgent action by clicking on a link provided in the message. Despite the sophistication of these emails, which include spoofed sender addresses and fraudulent login pages, the goal remains the same: to trick users into divulging their credentials and second-factor authentication details.
While organizations in various industries are targeted by this campaign, educational institutions face the highest volume of attacks, comprising over 50% of the total. This preference for targeting environments with high user volumes, legacy systems, and less mature cybersecurity defenses is also evident in attacks against sectors such as healthcare, government, technology, transportation, automotive, and manufacturing.
Although Microsoft and Abnormal Security advise organizations to transition to the modern identity platform Entra for authentication, many entities continue to rely on ADFS, leaving them vulnerable to credential harvesting and account takeovers. Sectors with slow technology adoption cycles or legacy infrastructure dependencies are particularly at risk of falling prey to these types of attacks.
Despite the continued use of ADFS, organizations can take steps to enhance their security posture. Implementing phishing-resistant MFA for all users is a recommended measure, alongside user education on modern phishing techniques and the deployment of advanced email filtering, anomaly detection, and behavior monitoring technologies to detect and mitigate phishing attacks and identify compromised accounts early on.