A sophisticated phishing campaign targeting organizations that use Microsoft Active Directory Federation Services (ADFS) has been uncovered by cybersecurity researchers at Abnormal Security. The attackers create counterfeit login pages that closely mimic legitimate ADFS portals to capture user credentials and bypass multi-factor authentication (MFA).
The attack begins with deceptive emails that appear to come from an organization's IT department. These messages direct users to fraudulent ADFS login pages where their usernames, passwords, and MFA codes are collected. Once credentials are stolen, attackers can infiltrate networks, launch additional phishing attempts, and commit financial fraud.
Unlike common phishing tactics that rely on urgency, these attacks employ subtle manipulation techniques. The cybercriminals even customize their fake login pages to match an organization's specific MFA configuration, making the scam more convincing.
The research identified over 150 targeted organizations, with educational institutions making up more than half of the victims. Healthcare organizations accounted for 14.8% of targets, followed by government agencies at 12.5%, technology companies at 6.3%, and transportation entities at 3.4%. Most affected organizations are located in the United States, Canada, Australia, and Europe.
Organizations still using legacy ADFS systems face heightened risk, as many have not yet upgraded to Microsoft's modern identity platform, Entra. To protect against these threats, security experts advise:
- Moving to modern identity platforms like Microsoft Entra
- Strengthening employee security awareness training
- Deploying AI-powered email filtering and monitoring tools
By taking these protective measures, organizations can better defend against credential theft attempts and safeguard their sensitive data.