“`html
An innovative and remarkably deceptive phishing operation is actively acquiring Microsoft 365 credentials by exploiting Microsoft’s own Active Directory Federation Services (ADFS) to shift users from authentic office.com links to harmful login pages.
This method, discovered by analysts at the cybersecurity firm Push Security, represents a notable development in phishing assaults, skillfully evading user alertness as well as conventional security measures.
The assault utilizes a blend of malvertising and a clever exploitation of Microsoft’s framework. Rather than depending on dubious emails, the perpetrators introduce harmful advertisements on search engines.
A user looking for “Office 365” may click on a seemingly authentic advertisement that redirects them to a genuine outlook.office.com URL. However, this URL is specifically designed to initiate an exploit.
Central to this scheme is the misuse of ADFS, a Microsoft function that enables single sign-on (SSO) by linking an organization’s local directory with cloud services.
The threat actors establish their own Microsoft tenant and adjust its ADFS configurations to redirect authentication requests to a phishing domain they manage.
This manipulation compels Microsoft’s own servers to direct the unsuspecting victim from the trusted office.com domain to an exact, pixel-for-pixel replica of the Microsoft login page, Push Security indicated.
“This is essentially equivalent to Outlook.com having an unguarded redirect vulnerability,” remarked a researcher from Push in their assessment.
.webp)
This “ADFSjacking,” as it has been named, is effective due to the initial redirect coming from a trustworthy Microsoft source, rendering it nearly impossible for URL-based security solutions and cautious users to detect the danger.
.webp)
The inquiry uncovered a multi-phase redirect chain crafted for evasion. After clicking the harmful ad, the user’s browser is secretly routed through an intermediary domain, in one instance, a counterfeit travel blog, before arriving at the final phishing site.
This intermediary phase is intended to deceive automated domain categorization systems, which might categorize the link as safe, thereby allowing it to bypass web filters.
Once on the fraudulent login page, which acts as an Attacker-in-the-Middle (AitM) proxy, any credentials submitted are immediately intercepted. This approach also enables attackers to acquire session cookies, allowing them to circumvent multi-factor authentication (MFA) measures and gain complete access to the victim’s account.
This operation underscores a concerning trend where attackers are redirecting their delivery tactics away from email towards platforms like malvertising, social media, and instant messaging, thus circumventing robust email security gateways.
To lessen this risk, cybersecurity professionals advise organizations to oversee their network logs for irregular ADFS redirects, particularly those pointing to unfamiliar domains.
Filtering for Google Ad parameters in traffic aimed at office.com can further assist in identifying this particular malvertising method. For end-users, using a reliable ad blocker across all web browsers remains an essential line of defense against the initial temptation.
“`