HQ/EMEAFind out how we can help your business
A new phishing campaign that uses spoofed Microsoft Active Directory Federation Services (MS ADFS) login pages is trying to steal credentials and bypass MFA features.
MS ADFS is an authentication system that enables targeted users to log in once and access various apps and services without reentering their credentials.
Based on reports, the campaign’s primary targets are industries from the education, healthcare, and government sectors, with at least 150 targets.
Moreover, these attacks try to obtain access to corporate email accounts to send emails to other victims within the firm or to carry out financially motivated attacks.
The researchers noted that one of the campaign’s most executed attacks is a business email compromise (BEC), in which money is routed to the threat actors’ accounts.
Hackers spoof the MS ADFS.
The phishing operators may have leveraged the MS ADFS since businesses commonly employ it to enable single sign-on (SSO) for internal and cloud-based apps.
The attack process includes threat actors sending emails to targets impersonating their company’s IT team, requesting that they log in to update security settings or adopt new rules. Once a target clicks the embedded button, they are redirected to a phishing site that looks identical to their organisation’s ADFS login page.
The phishing page then instructs the victim to input their username, password, and MFA code or deceives them into approving the push notification—templates targeting commonly used MFA techniques in this campaign.
Once the victim has provided all the information, they are transferred to the legitimate sign-in page, which gives the impression that the procedure has been completed successfully.
On the other hand, phishing operators can use the stolen information to access the victim’s account, steal valuable data, set up new email filter rules, and try to deceive more contacts.
Furthermore, the attackers in this effort utilised Private Internet Access VPN to hide their location and assign an IP address closer to the organisation.
Even while these phishing attempts do not directly compromise ADFS and instead rely on social engineering to be successful, the method is noteworthy for its potential efficacy. Therefore, organisations that employ the exploited product should switch to contemporary and more secure solutions and implement extra email filters and unusual activity detection mechanisms to prevent phishing attempts.
