Unscrupulous hackers exploit Active Directory Federation Services to conduct phishing attacks via authentic Office.com links

In a recent investigation led by Push Security, researchers uncovered a sophisticated phishing campaign that aimed to steal Microsoft 365 login credentials. The attackers used a method that combined legitimate Office.com links with Active Directory Federation Services (ADFS) to redirect users to manipulated phishing sites.

The phishing victim would not notice the invisible redirect from a trusted domain within the Microsoft infrastructure, such as bluegraintours, to the phishing site. This seemingly innocuous reverse proxy clone of a Microsoft login page was designed to bypass security mechanisms.

The attackers used Malvertising as a channel for delivering the payload, bypassing email-level phishing controls. The malicious link was accessed via Google search, and the user was redirected to an Office login page containing a series of Google Ads tracking parameters, indicating that the user clicked on an ad and not an organic search result - it was therefore a malvertising attack.

The goal of the attackers was to successfully deliver the phishing site to users without triggering email security solutions, proxy scanners, URL feeds, or web analysis tools. This method bypasses not only URL-based security checks but also the multi-factor authentication process.

The security company that conducted the analysis of the method used by cybercriminals to steal Microsoft login credentials is Fortinet. The researchers were able to trace the entire chain of user activities, from the original link source through the entire redirection chain to opened and closed tabs, pop-ups, transmitted forms, and entered passwords, using the timeline function of Push Security.

However, due to restrictions on conditional loading, the researchers could not fully replicate the attack sequence when loading the originally clicked link by the user. This attack essentially amounts to an open redirect vulnerability on Outlook.com, requiring only a credit card verification to set up a similar phishing infrastructure.

The fake website used in the attack, bluegraintours, was likely created with Vibe-Coding. The attack method is reminiscent of SAMLjacking, where the identity of the identity provider can be changed, and is referred to as ADFSjacking.

This notable trend of using Malvertising in attacks, recently observed with Scattered Spider using Onfido-based malvertising payloads, underscores the need for continuous vigilance and the adoption of advanced security measures to protect against such threats.