Hackers Spoof Microsoft ADFS Login Pages to Steal Credentials and Bypass MFA

by | Feb 6, 2025 | News

Hackers Spoof Microsoft ADFS Login Pages to Steal Credentials and Bypass MFA

Post Views: 477




Join our Patreon Channel and Gain access to 70+ Exclusive Walkthrough Videos.

Patreon
Reading Time: 3 Minutes

A phishing campaign is targeting Microsoft Active Directory Federation Services (ADFS) using spoofed login pages to steal credentials and bypass multi-factor authentication (MFA) protections.

Targeted Organizations

  • Discovered by Abnormal Security, the campaign primarily targets:
    • Education
    • Healthcare
    • Government organizations
  • At least 150 organizations have been affected.

Attack Goals

  • Compromise corporate email accounts to send phishing emails within the organization.
  • Conduct financially motivated attacks such as business email compromise (BEC) to divert payments to threat actors.

How the Attack Works

1. Spoofing ADFS Login Pages

  • ADFS is an authentication system that enables Single Sign-On (SSO) for internal and cloud-based applications.
  • Attackers send phishing emails impersonating the IT team, asking users to update security settings.

Sample of a phishing email used in the attacksSample of a phishing email used in the attacks
Source: Abnormal Security

  • Clicking the link redirects victims to a fake ADFS login page, which looks identical to the real one.

Spoofed ADFS portalsSpoofed ADFS portals
Source: Abnormal Security

2. Capturing Credentials and MFA Codes

  • The phishing site asks for username, password, and MFA code or tricks victims into approving a push notification.
  • Templates target common MFA methods:
    • Microsoft Authenticator
    • Duo Security
    • SMS Verification

Two of the many available MFA bypass screensTwo of the many available MFA bypass screens
Source: Abnormal Security

See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses




Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.

3. Immediate Account Takeover

  • After stealing credentials, attackers:
    • Log into the victim’s account in real-time.
    • Steal sensitive data and create email filter rules.
    • Attempt lateral phishing within the organization.
  • Victims are then redirected to the real ADFS login page to avoid suspicion.

Additional Attack Techniques

  • Attackers use Private Internet Access VPN to:
    • Obscure their location
    • Mimic an IP address close to the organization

Trending: Breaking Down Active and Passive Reconnaissance




Trending: Offensive Security Tool: XSRFProbe

Defensive Measures

  • Migrate to modern authentication solutions like Microsoft Entra.
  • Enhance email security with:
    • Stronger phishing detection filters
    • Anomalous login activity monitoring
  • Educate employees about phishing techniques and social engineering tactics.

Trending: Apple Patches 2025’s First Zero-Day Vulnerability Exploited in iPhone Attacks

Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]

Source: bleepingcomputer.com

Source Link

Merch

Recent News

EXPLORE OUR STORE

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!

Information Security Solutions

Find out how Pentesting Services can help you.

Join our Community

Share This