Microsoft authentication system spoofed via phishing attack

A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
(Image credit: weerapatkiatdumrong / Getty Images)

  • Security researchers warning of new phishing campaign
  • This one abuses Microsoft's authentication system
  • The goal is to steal sensitive data and login credentials

Cybercriminals are impersonating Microsoft’s Active Directory Federation Services (ADFS) to steal people’s passwords, log into their accounts, and grab any sensitive information found there, experts have warned.

A new report from cybersecurity researchers Abnormal Security noted how the attack starts with a phishing email, impersonating the target company’s IT team, and claiming that the system has been upgraded and that all users need to re-authenticate.

Obviously, the email also comes with a clickable button, which takes the victim to a phishing site that looks identical to their organization's real ADFS login page.

Redirecting the victims

Microsoft's Active Directory Federation Services (AD FS) is a single sign-on (SSO) solution that allows users to access multiple applications using a single set of credentials. It extends Active Directory (AD) to provide federated identity management, enabling seamless and secure authentication across different organizations, cloud services, and applications.

This page asks for login credentials and MFA codes.

“The phishing templates also include forms designed to capture the specific second factor required to authenticate the target's account, based on the organization's configured MFA settings,” Abnormal said in the paper.

“Abnormal observed templates targeting multiple commonly used MFA mechanisms, including Microsoft Authenticator, Duo Security, and SMS verification.”

When the victim types in their login details, the landing page redirects them to the legitimate sign-in page, to keep the ruse going. In the background, however, the attackers are already logging in, stealing sensitive data, creating new email filter rules, and trying to move laterally throughout the target network.

Abnormal added that the campaign mostly targets organizations in education, healthcare, and public sector industries. So far, some 150 organizations have been targeted, it added. The goal of the campaign doesn’t seem to be espionage. Instead, it seems to be financially motivated.

You might also like

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Read more
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Microsoft 365 accounts are under attack from new malware spoofing popular work apps
Hacker Typing
This devious two-step phishing campaign uses Microsoft tools to bypass email security
Image depicting hands typing on a keyboard, with phishing hooks holding files, passwords and credit cards.
Microsoft warns about a new phishing campaign impersonating Booking.com
Phishing
Russian cyberattackers spotted hitting Microsoft Teams with new phishing campaign
A padlock resting on a keyboard.
Massive botnet is targeting Microsoft 365 accounts across the world
Smartphone with new logo X twitter app background. Application twitter old blue bird change X black and white new.
Phishing campaign targets prominent X users, accounts at risk
Latest in Security
Microsoft
"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
Lock on Laptop Screen
Medusa ransomware is able to disable anti-malware tools, so be on your guard
An abstract image of digital security.
Fake file converters are stealing info, pushing ransomware, FBI warns
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Coinbase targeted after recent Github attacks
hacker.jpeg
Key trusted Microsoft platform exploited to enable malware, experts warn
IBM office logo
IBM to provide platform for flagship cyber skills programme for girls
Latest in News
Zendesk Relate 2025
Zendesk Relate 2025 - everything you need to know as the event unfolds
Disney Plus logo with popcorn
You can finally tell Disney+ to stop bugging you about that terrible Marvel show you regret starting
Google Gemini AI
Gemini can now see your screen and judge your tabs
Girl wearing Meta Quest 3 headset interacting with a jungle playset
Latest Meta Quest 3 software beta teases a major design overhaul and VR screen sharing – and I need these updates now
Philips Hue
Philips Hue might be working on a video doorbell, and according to a new report, we just got our first look at it
Microsoft
"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand