Hackers are using a novel technique that combines legitimate office.com links with Active Directory Federation Services (ADFS) to redirect users to a phishing page that steals Microsoft 365 logins.
In our most recent phish kit teardown, we encountered a standard reverse-proxy clone of a Microsoft login page — nothing unusual at first glance. But increasingly, a lot of the innovation comes outside of the phishing page itself.
The art in detection evasion comes from being able to successfully deliver the page to a user and have them open the page without it being intercepted by an email security, proxy scanner, URL TI feed, or web analysis tool. To achieve this, the attacker found a way to redirect from a legitimate outlook.office.com link to a phishing website.
This is essentially an open redirect vulnerability — maybe not the classic example where someone has forgotten to do input sanitization on their website, but the outcome is the same.
Commenting on this is Roger Grimes, Data-Driven Defense Evangelist at KnowBe4:
“ADFS has long been used by scammers and hackers to avoid detection. Part of that reason is that it’s an official Microsoft product, but not one that is usually strongly configured or monitored by the organizations that use it. In this case, the attackers are deploying and using it, which is a bit different than I’ve seen before. Nevertheless, using an official Microsoft product along with real Microsoft authentication logon pages is enough to fool people who might look at the logon links to see if they point to a valid Microsoft domain or not. In this case, they do, other than the one or two malicious URLs that are quickly shown to the user before they are moved over to more legit Microsoft domains. It’s an interesting use of ADFS in an attack.”
This highlights the need to always be vigilant. I say that because not paying attention to what a webpage is doing may lead to you getting pwned by a threat actor as is the case here.
UPDATE: Here is an additional comment from Martin Jartelius, CTO at Outpost24:
“Using a password manager with domain-bound credentials, or a FIDO2-capable MFA, would help prevent this. It should be noted that while the attack begins by showing a legitimate URL, the page the user lands on differs, and that is where the credential theft occurs. Since it starts with faked content, in this case malvertising, where a valid domain is part of the chain but not the end destination, the main deception is against automated pre-screening solutions.”
“Abuse of existing redirects is an old technique for creating trusted initial links and producing better-looking URLs to trick users. As the attacker controls the ADFS functionality, there are not many hardening configurations organizations can apply beyond awareness and the technical resilience measures mentioned above.”
“Other important steps are to enable security features in the Microsoft environment, such as impossible travel detection, to quickly identify successful phishing attempts and stolen identities, allowing timely or even automated containment.”
Like this:
Like Loading...
Related
This entry was posted on August 21, 2025 at 8:42 am and is filed under Commentary. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Hackers steal Microsoft logins using legitimate ADFS redirects
Hackers are using a novel technique that combines legitimate office.com links with Active Directory Federation Services (ADFS) to redirect users to a phishing page that steals Microsoft 365 logins.
In our most recent phish kit teardown, we encountered a standard reverse-proxy clone of a Microsoft login page — nothing unusual at first glance. But increasingly, a lot of the innovation comes outside of the phishing page itself.
The art in detection evasion comes from being able to successfully deliver the page to a user and have them open the page without it being intercepted by an email security, proxy scanner, URL TI feed, or web analysis tool. To achieve this, the attacker found a way to redirect from a legitimate outlook.office.com link to a phishing website.
This is essentially an open redirect vulnerability — maybe not the classic example where someone has forgotten to do input sanitization on their website, but the outcome is the same.
Commenting on this is Roger Grimes, Data-Driven Defense Evangelist at KnowBe4:
“ADFS has long been used by scammers and hackers to avoid detection. Part of that reason is that it’s an official Microsoft product, but not one that is usually strongly configured or monitored by the organizations that use it. In this case, the attackers are deploying and using it, which is a bit different than I’ve seen before. Nevertheless, using an official Microsoft product along with real Microsoft authentication logon pages is enough to fool people who might look at the logon links to see if they point to a valid Microsoft domain or not. In this case, they do, other than the one or two malicious URLs that are quickly shown to the user before they are moved over to more legit Microsoft domains. It’s an interesting use of ADFS in an attack.”
This highlights the need to always be vigilant. I say that because not paying attention to what a webpage is doing may lead to you getting pwned by a threat actor as is the case here.
UPDATE: Here is an additional comment from Martin Jartelius, CTO at Outpost24:
“Using a password manager with domain-bound credentials, or a FIDO2-capable MFA, would help prevent this. It should be noted that while the attack begins by showing a legitimate URL, the page the user lands on differs, and that is where the credential theft occurs. Since it starts with faked content, in this case malvertising, where a valid domain is part of the chain but not the end destination, the main deception is against automated pre-screening solutions.”
“Abuse of existing redirects is an old technique for creating trusted initial links and producing better-looking URLs to trick users. As the attacker controls the ADFS functionality, there are not many hardening configurations organizations can apply beyond awareness and the technical resilience measures mentioned above.”
“Other important steps are to enable security features in the Microsoft environment, such as impossible travel detection, to quickly identify successful phishing attempts and stolen identities, allowing timely or even automated containment.”
Share this:
Like this:
Related
This entry was posted on August 21, 2025 at 8:42 am and is filed under Commentary. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.