Cybercriminals have developed a phishing technique that uses legitimate Microsoft Office.com links combined with Active Directory Federation Services (ADFS) to redirect users to credential-stealing pages, allowing attackers to bypass traditional URL detection and multi-factor authentication.
What happened
Push Security researchers discovered a novel phishing campaign targeting multiple organizations that leverages Microsoft's trusted infrastructure to steal login credentials. Attackers created custom Microsoft tenants with ADFS configurations to facilitate the attack chain. The campaign begins when targets click malicious sponsored Google search results for "Office 265" (likely a typo for Office 365). This click triggers a redirect from Microsoft's legitimate office.com domain to bluegraintours[.]com, which then redirects to a phishing page designed to harvest Microsoft 365 credentials. The attackers configured ADFS to receive authorization requests from their controlled domain, acting as an identity and access management provider. They populated the intermediate domain with fake blog posts and sufficient content to appear legitimate to automated security scanners. The threat actors implemented conditional loading restrictions that only grant access to the phishing page for targets meeting specific criteria, automatically redirecting others to the legitimate office.com site.
What was said
Jacques Louw, co-founder and Chief Product Officer at Push Security, told BleepingComputer that "these attacks do not appear to target a specific industry or job roles, and may be the result of a threat actor's experimenting with new attack methods."
Louw further explained: "From what we've seen this appears to be a group experimenting with novel techniques to get users to click highly trusted links to fairly standard phishing kits - in the same vein as groups like Shiny Hunters and Scattered Spider have been seen doing."
In the know
Active Directory Federation Services (ADFS) is Microsoft's single sign-on solution that enables users to access multiple applications both inside and outside corporate networks using one set of login credentials. While ADFS remains available on Windows Server 2025 with no official deprecation plans, Microsoft actively encourages customers to migrate to Azure Active Directory for identity and access management. This technology becomes a security concern when malicious actors create their own Microsoft tenants and configure ADFS to facilitate credential theft while appearing to use legitimate Microsoft infrastructure.
Why it matters
This attack technique exploits the trust organizations place in Microsoft's infrastructure. Healthcare organizations and other sectors using Microsoft 365 face risks because the attack bypasses traditional URL-based security detection methods that many organizations rely on. The technique's ability to circumvent multi-factor authentication processes makes it dangerous for healthcare entities managing sensitive patient data under HIPAA requirements. Since the attack appears to originate from legitimate Microsoft domains, existing security awareness training may not prepare employees to recognize these threats, potentially leading to successful credential compromise and subsequent data breaches.
FAQs
How does this phishing method differ from traditional phishing emails?
It leverages trusted Microsoft infrastructure and redirects, making it harder to spot than typical malicious links.
Can this technique affect organizations not using ADFS?
Yes, attackers can still trick users through the initial phishing redirection even if the target organization doesn’t rely on ADFS.
What role do search engines like Google play in enabling this attack?
Malicious ads placed in search results are an entry point that initiates the phishing chain.
%20-%202024-11-10T215841.262.jpg)
