Microsoft authentication system spoofed via phishing attack

A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system

(Image credit: weerapatkiatdumrong / Getty Images)

Security researchers warning of new phishing campaign
This one abuses Microsoft's authentication system
The goal is to steal sensitive data and login credentials

Cybercriminals are impersonating Microsoft’s Active Directory Federation Services (ADFS) to steal people’s passwords, log into their accounts, and grab any sensitive information found there, experts have warned.

A new report from cybersecurity researchers Abnormal Security noted how the attack starts with a phishing email, impersonating the target company’s IT team, and claiming that the system has been upgraded and that all users need to re-authenticate.

Obviously, the email also comes with a clickable button, which takes the victim to a phishing site that looks identical to their organization's real ADFS login page.

Redirecting the victims

Microsoft's Active Directory Federation Services (AD FS) is a single sign-on (SSO) solution that allows users to access multiple applications using a single set of credentials. It extends Active Directory (AD) to provide federated identity management, enabling seamless and secure authentication across different organizations, cloud services, and applications.

This page asks for login credentials and MFA codes.

“The phishing templates also include forms designed to capture the specific second factor required to authenticate the target's account, based on the organization's configured MFA settings,” Abnormal said in the paper.

“Abnormal observed templates targeting multiple commonly used MFA mechanisms, including Microsoft Authenticator, Duo Security, and SMS verification.”

When the victim types in their login details, the landing page redirects them to the legitimate sign-in page, to keep the ruse going. In the background, however, the attackers are already logging in, stealing sensitive data, creating new email filter rules, and trying to move laterally throughout the target network.

Abnormal added that the campaign mostly targets organizations in education, healthcare, and public sector industries. So far, some 150 organizations have been targeted, it added. The goal of the campaign doesn’t seem to be espionage. Instead, it seems to be financially motivated.

A new Microsoft 365 phishing service has emerged, so be on your guard
We've rounded up the best password managers
Take a look at our guide to the best authenticator app

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.