Bogus Microsoft ADFS login pages leveraged for widespread credential theft

Hackread reports that more than 150 organizations worldwide, most of which are in the U.S., have been subjected to a new ongoing phishing campaign utilizing fraudulent Microsoft Active Directory Federation Services login pages to facilitate credential exfiltration.

Intrusions part of the campaign, which has been primarily targeted at the education sector, commenced with the distribution of notification-spoofing phishing emails deceiving recipients into clicking a link that redirects to a seemingly legitimate ADFS portal seeking to compromise targets' second-factor authentication, according to an analysis from Abnormal Security. Attackers further establish the legitimacy of the operation by redirecting targets to the organization's ADFS login page before proceeding with account takeover attacks exploiting VPNs. "This approach leverages nuanced psychological tactics to exploit human vulnerabilities and reinforce a false sense of legitimacy," said the report. Such ADFS-exploiting attack was regarded to be sophisticated by KnowBe4's Roger Grimes, who urged the implementation of phishing-resistant multi-factor authentication to prevent potential compromise.