A sophisticated phishing campaign targeting Microsoft Active Directory Federation Services (ADFS) has been uncovered by Abnormal Security, affecting over 150 organizations primarily in education, healthcare, and government sectors.

The attackers impersonate IT support teams, sending emails that prompt users to update security settings or accept new policies. These messages direct victims to convincingly spoofed ADFS login pages designed to harvest credentials and bypass multi-factor authentication (MFA).

The phishing infrastructure includes templates tailored to various MFA mechanisms, including Microsoft Authenticator, Duo Security, and SMS verification. After capturing login credentials and MFA codes, victims are redirected to legitimate sign-in pages to avoid raising suspicion.

Key Features of the Attack:
– Targets organizational single sign-on systems
– Uses Private Internet Access VPN to mask attacker locations
– Employs sophisticated MFA bypass techniques
– Focuses on credential theft for business email compromise (BEC)

The compromised accounts are used to:
– Access corporate email systems
– Launch lateral phishing attacks
– Create malicious email filters
– Steal sensitive data
– Divert financial transactions

Security experts recommend organizations migrate to more secure solutions like Microsoft Entra and implement enhanced email filtering systems to prevent such attacks. While these attacks don’t directly breach ADFS, they exploit user trust in familiar authentication workflows.