Exploiting ADFS: A New Frontier for Cybercriminals

Cybercriminals have found a new playground in the vulnerabilities of Microsoft Active Directory Federation Services (ADFS), exploiting it to steal login credentials through legitimate redirects. This sophisticated attack vector involves crafting phishing pages that closely mimic the ADFS login portals of targeted organizations, tricking users into divulging their credentials and multi-factor authentication (MFA) details. Such tactics have been alarmingly effective, compromising accounts across over 150 organizations, including sectors like education, healthcare, and government (Infosecurity Magazine).

The attackers’ strategy includes the use of spoofed login portals and malvertising, which involves embedding malicious ads on legitimate websites to redirect users to phishing sites. This method bypasses traditional email-based phishing controls, creating a highly convincing scenario (Push Security). Moreover, advanced social engineering techniques are employed, with phishing emails crafted to appear as urgent communications from trusted sources, further enhancing the deception (Cybersecurity News).

Understanding the Attack Vector

Exploitation of Microsoft Active Directory Federation Services (ADFS)

The attack vector primarily exploits vulnerabilities in Microsoft Active Directory Federation Services (ADFS), a single sign-on (SSO) solution. ADFS allows users to authenticate across multiple applications with a single set of credentials, making it a prime target for attackers. Cybercriminals craft highly convincing phishing pages that mirror legitimate ADFS login portals of targeted organizations. By doing so, they trick users into submitting their credentials and multi-factor authentication (MFA) details, effectively bypassing security measures (Infosecurity Magazine).

Use of Spoofed Login Portals

The phishing campaign involves creating counterfeit login sites that closely resemble the ADFS authentication pages of the victim’s organization. These spoofed portals are used to deceive employees into entering their credentials and MFA codes. This method has reportedly compromised accounts in over 150 organizations, with significant impact on sectors like education, healthcare, and government agencies (WinBuzzer).

Malvertising as a Lure Delivery Channel

A notable component of this attack is the use of malvertising as a lure delivery channel. Malvertising involves embedding malicious advertisements on legitimate websites, which then redirect users to phishing sites. This method helps attackers bypass traditional phishing controls that are typically placed at the email layer. By leveraging malvertising, attackers can create a highly convincing and difficult-to-spot phishing scenario (Push Security).

Advanced Social Engineering Techniques

The attackers employ advanced social engineering techniques to make their phishing attempts more convincing. Phishing emails are crafted to appear as though they originate from trusted sources, such as an organization’s IT department. These emails often carry urgent themes, such as security updates or policy changes, and include links to fraudulent ADFS login pages. The URLs of these pages mimic legitimate ADFS structures, using obfuscation techniques to evade link verification tools and avoid raising suspicion among users (Cybersecurity News).

Multi-Tiered Redirect Abuse

Another sophisticated tactic used in these attacks is what Cloudflare describes as “multi-tiered redirect abuse.” This involves cloaking malicious links using a URL shortening service like Bitly. The shortened link is then sent in an email message via a Proofpoint-secured account, causing it to be obscured a second time. This behavior creates a redirection chain, where the URL passes through two levels of obfuscation—Bitly and Proofpoint’s URL Defense—before taking the victim to the phishing page (The Hacker News).

Implications for Enterprise Security

The persistent threat of social engineering, as highlighted by this campaign, underscores the importance of phishing-resistant authentication. Despite technical advancements in security, social engineering remains one of the biggest threats to enterprise security. The campaign has been running undetected for six years, targeting Microsoft ADFS users across multiple industries, including education, healthcare, government, and technology (LinkedIn).

Real-Time Access and Internal Threat Propagation

Once attackers gain access to corporate accounts through stolen credentials, they can conduct financial fraud, spread phishing attacks internally, and manipulate email settings to evade detection. This real-time access allows cybercriminals to exploit the compromised accounts for various malicious activities, further amplifying the threat to the organization (WinBuzzer).

Obfuscation Techniques and Evasion Strategies

Attackers use obfuscation techniques to evade detection by security tools. This includes mimicking legitimate ADFS structures in URLs and employing techniques to bypass link verification tools. By doing so, they reduce the likelihood of raising suspicion among users and increase the chances of successful credential theft (Cybersecurity News).

The Role of Legitimate Services in Phishing

The use of legitimate Microsoft services in phishing attacks adds a layer of complexity to the attack vector. By leveraging these services, attackers can create phishing scenarios that are not only convincing but also difficult to detect. This highlights the need for organizations to implement robust security measures that can identify and mitigate such sophisticated threats (Push Security).

The Need for Enhanced Security Measures

The ongoing threat posed by these phishing campaigns calls for enhanced security measures. Organizations must focus on implementing phishing-resistant authentication methods and educating employees about the risks of social engineering. Additionally, security teams should invest in advanced detection tools that can identify and neutralize sophisticated phishing attempts before they cause significant harm (LinkedIn).

Final Thoughts

The persistent threat posed by these phishing campaigns underscores the critical need for enhanced security measures. Organizations must adopt phishing-resistant authentication methods and educate employees about the risks of social engineering. The use of legitimate services in phishing attacks adds complexity, making it imperative for security teams to invest in advanced detection tools that can identify and neutralize sophisticated threats before they cause significant harm (LinkedIn).

As cybercriminals continue to evolve their tactics, leveraging technologies like AI and IoT, the cybersecurity landscape must adapt accordingly. The ongoing battle against these threats requires a proactive approach, combining technological advancements with human vigilance to safeguard sensitive information and maintain trust in digital systems.

References

• Infosecurity Magazine. (2025). Phishing attack bypasses Microsoft ADFS. https://www.infosecurity-magazine.com/news/phishing-attack-bypasses-microsoft/
• WinBuzzer. (2025). Mass phishing attack fakes Microsoft ADFS login portals to hijack business email accounts. https://winbuzzer.com/2025/02/06/mass-phishing-attack-fakes-microsoft-adfs-login-portals-to-hijack-business-email-accounts-xcxwbn/
• Push Security. (2025). Phishing with Active Directory Federation Services. https://pushsecurity.com/blog/phishing-with-active-directory-federation-services/
• Cybersecurity News. (2025). Hackers exploiting ADFS to bypass MFA, gain unauthorized access. https://cybersecuritynews.com/hackers-exploiting-adfs-to-bypass-mfa-gain-unauthorized-access/
• The Hacker News. (2025). Experts detect multi-layer redirect abuse. https://thehackernews.com/2025/07/experts-detect-multi-layer-redirect.html
• LinkedIn. (2025). Six-year phishing campaign targeting ADFS: A wake-up call for CISOs. https://www.linkedin.com/pulse/six-year-phishing-campaign-targeting-adfs-wake-up-call-cisos-ui0ae