A new phishing campaign has been observed targeting organizations using Microsoft Active Directory Federation Services (ADFS), leveraging spoofed login pages to steal credentials and bypass multi-factor authentication (MFA).
According to cybersecurity researchers at Abnormal Security, the attack exploits ADFS, a single sign-on (SSO) solution that allows users to authenticate across multiple applications with a single set of credentials.
Threat actors craft highly convincing phishing pages that mirror the legitimate ADFS login portals of targeted organizations, tricking users into submitting their credentials and MFA details.
How the Attack Works
Cybercriminals execute this attack in multiple stages:
-
Phishing email: Spoofed emails, appearing to be from the organization’s IT department, prompt users to visit a fraudulent ADFS login page
-
Credential harvesting: The phishing site collects usernames, passwords and MFA codes
-
Account takeover: Attackers use stolen credentials to access the organization’s network, conduct lateral phishing and perform financial fraud
Read more on phishing tactics and how to protect against them: Cyber Threat Intelligence Review: Preparing for 2025
Unlike traditional phishing scams that create a sense of urgency, these emails use more subtle social engineering tactics. The attackers even customize phishing pages based on an organization’s MFA setup, increasing the likelihood of success.
Critical Sectors at Risk
The report identified over 150 targeted organizations across multiple industries, with the education sector accounting for more than 50% of attacks. Other affected industries include:
-
Healthcare (14.8%)
-
Government (12.5%)
-
Technology (6.3%)
-
Transportation (3.4%)
No tags.
