Hackers are looking to steal Microsoft logins using some devious new tricks - here's how to stay safe

News
By published

Ads, Microsoft ADFS features, and more abused in a brand new phishing scheme

A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
(Image credit: weerapatkiatdumrong / Getty Images)
  • A new phishing scheme successfully bypasses most security tools
  • It abuses ads and Microsoft's Active Directory Federation Services tool
  • It is designed to steal login credentials, so users should take care

Cybercriminals have found a clever way to make phishing sites look like legitimate login pages, successfully stealing Microsoft credentials, experts have warned.

Cybersecurity researchers at Push Security recently published an in-depth report on how the scam works, outlining how the attackers created fake login pages that mimicked authentic Microsoft 365 sign-in screens.

Then, instead of sending victims directly to the site, which would probably get flagged by security solutions and quickly blocked, they used a Microsoft feature called Active Directory Federation Services (ADFS). Companies normally use it to connect their internal systems to Microsoft services.

How to stay safe

By setting up their own Microsoft account, and configuring it with ADFS, Microsoft’s service is tricked to redirect users to the phishing site, while making the link look legitimate because it starts with something like ‘outlook.office.com’.

Furthermore, the phishing link was not being distributed by email, but rather - malvertising. Victims were searching for “Office 265” which was presumably a typo, and were then taken to an Office login page. The ad also used a fake travel blog - bluegraintours[.]com - as a middle step to hide the attack.

The way the entire campaign was set up made it particularly dangerous. With the link looking like it was coming from Microsoft, and it successfully bypassing many security tools checking for bad links - its success rate was probably higher compared to “traditional” phishing.

Furthermore, since it doesn’t rely on email, the usual email filters couldn’t catch it. Finally, the landing page could even bypass multi-factor authentication (MFA), which made it even more dangerous.

In order to prevent such scams from causing any real harm, IT teams should block ads, or at least monitor ad traffic, and watch for redirects from MIcrosoft login pages to unknown domains.

Finally, users should be careful when typing in search terms - a simple typo can lead to a fake ad that can result in device compromise and account takeover.

Via BleepingComputer

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.