New Attack Vector: ADFS and Office.com Exploited for Microsoft 365 Credential Thef

-

A new phishing campaign is making waves in the cybersecurity community, targeting Microsoft 365 users by exploiting Microsoft’s own Active Directory Federation Services (ADFS). What makes this attack particularly dangerous is that it uses legitimate office.com links as part of the lure, giving victims a false sense of security before redirecting them to malicious login pages.


How the Attack Works

Researchers at Push Security uncovered this campaign, noting that it represents a major evolution in phishing techniques. Instead of relying on suspicious emails or obvious fake websites, the attackers are leveraging malvertising—malicious ads placed on search engines.

For example, a user searching for “Office 365” may see a sponsored link that looks completely legitimate. Clicking it takes them to a genuine outlook.office.com URL. However, that URL is carefully crafted to trigger a redirect controlled by the attackers.

The key lies in abusing ADFS, which normally provides single sign-on (SSO) by connecting local directories with Microsoft’s cloud services. In this case, the attackers set up their own Microsoft tenant and manipulated its ADFS configuration to send authentication requests to a phishing domain.

This means that Microsoft’s own servers are effectively helping redirect users from a trusted office.com domain to a pixel-perfect clone of the Microsoft login page. As one Push Security researcher explained, “It’s basically the equivalent of Outlook.com having an open redirect vulnerability.”



Why It’s So Effective

This technique, sometimes referred to as “ADFSjacking,” is particularly insidious because the initial redirect comes directly from Microsoft’s infrastructure. URL-based security filters are unlikely to flag it, and even savvy users may not notice anything suspicious.

To further complicate detection, the attackers use a multi-stage redirect chain. In one case, traffic flowed through an unrelated website (a fake travel blog) before landing on the phishing page. This extra hop helps evade automated domain categorization tools and web filters.

Once victims arrive at the fake login page, the attackers use an Attacker-in-the-Middle (AitM) proxy setup to capture credentials in real time. Beyond stealing usernames and passwords, this also allows them to grab session cookies, which can bypass Multi-Factor Authentication (MFA) and give full access to accounts.



Shifting Tactics in Phishing Campaigns

This campaign highlights a broader shift in phishing tactics. Instead of relying solely on email—which is now heavily protected by secure email gateways—attackers are moving to channels like search engine ads, social media, and instant messaging. These alternative delivery methods allow them to sidestep traditional security defenses.

How to Defend Against It

Security teams should take proactive steps to detect and mitigate this type of attack:

  • Monitor network logs for unusual ADFS redirects, especially those leading to domains outside your organization.

  • Filter for suspicious Google Ad parameters in traffic directed to office.com.

  • Deploy reputable ad blockers across corporate browsers to reduce exposure to malvertising.

  • Educate employees about the risk of clicking sponsored search results and encourage them to bookmark trusted Microsoft login portals.


This campaign serves as a stark reminder that attackers are always innovating, even turning trusted platforms against users. Defenders will need to stay one step ahead by expanding monitoring beyond email and applying layered defenses across web browsing, identity, and authentication systems.

Comments

Post a Comment

Popular posts from this blog

The Hidden Lag Killing Your SIEM Efficiency

-
Image
  If your security tools feel slower than they should, you’re not imagining it. Many IT teams blame their sluggish SIEM performance on query complexity or alert volume. But sometimes the real issue is much simpler: oversized input files quietly dragging your system down. Think about the last time you had to sift through a bloated PDF or an unoptimised log dump. Every unnecessary megabyte adds strain. Every redundant line eats up cycles. Your SIEM doesn’t just react to threats—it processes all incoming data, relevant or not. When it starts lagging, detection gets delayed, triage slows, and in the high-stakes world of threat response, even seconds count. We often focus on analytics and rule tuning, but upstream efficiency—what you feed into your system—deserves just as much attention. This article looks at how optimising your inputs unlocks downstream performance. Why Oversized Files Clog the Pipeline As data volumes grow, organisations face esca lating  data storage costs ,...
Read more

Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution

-
Image
Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution By : Rei Ibraima A newly discovered critical vulnerability in Veeam’s Backup & Replication software, designated as CVE-2025-23120, poses a significant security risk to enterprise environments. The flaw allows authenticated domain users to execute arbitrary code remotely, potentially leading to full compromise of backup infrastructures. About CVE-2025-23120 The vulnerability arises from an insecure deserialization issue within Veeam Backup & Replication components—particularly in the .NET classes Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary. Improper input validation in these components allows attackers to inject malicious serialized objects that are executed on the server side, resulting in Remote Code Execution (RCE). This issue affects systems where Veeam Backup & Replication is deployed in a domain-joined configuration, which—while common—is...
Read more

Lotus Panda Hacks SE Asian Governments With Browser Stealers and Sideloaded Malware

-
Image
The China-linked cyber espionage group tracked as Lotus Panda has been attributed to a campaign that compromised multiple organizations in an unnamed Southeast Asian country between August 2024 and February 2025. "Targets included a government ministry, an air traffic control organization, a telecoms operator, and a construction company," the Symantec Threat Hunter Team said in a new report shared with The Hacker News. "The attacks involved the use of multiple new custom tools, including loaders, credential stealers, and a reverse SSH tool." The intrusion set is also said to have targeted a news agency located in another country in Southeast Asia and an air freight organization located in another neighboring country. The threat cluster, per Broadcom's cybersecurity division, is assessed to be a continuation of a campaign that was disclosed by the company in December 2024 as a high-profile organization in Southeast Asia since at least October 2023. ...
Read more