Microsoft authentication system spoofed via phishing attack
Abnormal Security report warns of new phishing campaign that already struck 150+ organizations.
- Security researchers warning of new phishing campaign
- This one abuses Microsoft's authentication system
- The goal is to steal sensitive data and login credentials
Cybercriminals are impersonating Microsoft’s Active Directory Federation Services (ADFS) to steal people’s passwords, log into their accounts, and grab any sensitive information found there, experts have warned.
A new report from cybersecurity researchers Abnormal Security noted how the attack starts with a phishing email, impersonating the target company’s IT team, and claiming that the system has been upgraded and that all users need to re-authenticate.
Obviously, the email also comes with a clickable button, which takes the victim to a phishing site that looks identical to their organization's real ADFS login page.
Redirecting the victims
Microsoft's Active Directory Federation Services (AD FS) is a single sign-on (SSO) solution that allows users to access multiple applications using a single set of credentials. It extends Active Directory (AD) to provide federated identity management, enabling seamless and secure authentication across different organizations, cloud services, and applications.
This page asks for login credentials and MFA codes.
“The phishing templates also include forms designed to capture the specific second factor required to authenticate the target's account, based on the organization's configured MFA settings,” Abnormal said in the paper.
“Abnormal observed templates targeting multiple commonly used MFA mechanisms, including Microsoft Authenticator, Duo Security, and SMS verification.”
When the victim types in their login details, the landing page redirects them to the legitimate sign-in page, to keep the ruse going. In the background, however, the attackers are already logging in, stealing sensitive data, creating new email filter rules, and trying to move laterally throughout the target network.
Abnormal added that the campaign mostly targets organizations in education, healthcare, and public sector industries. So far, some 150 organizations have been targeted, it added. The goal of the campaign doesn’t seem to be espionage. Instead, it seems to be financially motivated.
You might also like
- A new Microsoft 365 phishing service has emerged, so be on your guard
- We've rounded up the best password managers
- Take a look at our guide to the best authenticator app
