Active Microsoft ADFS Phishing Campaign that Bypasses MFA
.png)
On February 4th, 2025, Abnormal Security in conjunction with Axios disclosed an active phishing campaign that has been ongoing for at least six years.
This phishing campaign targets organizations that use Microsoft Active Directory Federation Services (ADFS) which is Microsoft’s legacy single sign-on product. This campaign has targeted over 150 organizations with a heavy emphasis on education, healthcare, and government sectors. According to Abnormal Security, “this highlights the attackers’ preference for environments with high user volumes, legacy systems, fewer security personnel, and often less mature cybersecurity defenses.” Once breached, attackers can move laterally and escalate their financially motivated attacks.
Learn more about the attack and how to effectively defend against it.
How is the ADFS attack executed?
The attack exploits both human and technology-based vulnerabilities such as social engineering and login page spoofing. By leveraging the techniques listed below, the attacker is able to harvest not just the user’s credential but also their second factor which allows them to fully execute a takeover of the user’s account.
The key components used in the attack sequence are:
- Phishing emails: sent from an address that appears to be from the organization’s IT department or help desk, the emails claim that the user needs to login via the specified link urgently to resolve some IT-related request. Often the emails will have the organization’s logo to convince the user of its legitimacy.
- Phishing landing page: once the user clicks on the link in the phishing email, they’re directed to what looks like their organization’s ADFS login page. Like the emails, the login pages bear the organization's brand colors and logo to add to its own credibility.
- MFA bypass: after the user provides their credentials on the phishing landing page masquerading as a legitimate ADFS login page, the attack moves to bypass the second factor such as “Microsoft Authenticator, Duo Security, and SMS verification”. The user sees the second factor form which captures the second factor. Once the user completes this, they are directed to their organization’s legitimate ADFS page to minimize user suspicion.
How to defend against this attack?
With all due respect, this is where we deviate from Abnormal Security’s recommendations. They highlight the importance of transitioning to modern platforms, user awareness training, and deploying “AI defense” to detect identity-based threats. The key challenge with these suggested defense is that they aim to reduce the probability of phishing attacks but doesn’t address the two root causes of phishing attacks:
- Shared secrets
- Human fallibility (no shade to humans of course). According to a sobering statistic from KnowB4, 4.69% of end-users will continue to click malicious links even after training.
Just one successful phishing attack can wreak havoc. We prefer defenses that don’t just reduce, but eliminate, the threat altogether. Here’s how you can deploy a complete phishing defense:
- No shared secrets: Any time a secret is sent over the internet, it’s no longer a secret. That is, while we have techniques like salting, hashing, and data encryption, anytime a secret is shared they leave a trace across services like proxies, CDNs, message brokers, and more – effectively expanding your attack surface to something impossible to track and defend.
- No weak factors: Phishable factors include passwords, one-time passcodes (OTP), and push notifications. These factors are easily stolen and users can be easily tricked to provide them on malicious sites. By removing them from the authentication flow all together, the user cannot be phished because attackers can’t steal what doesn’t exist.
- Implement phishing-resistant MFA: Implementing phishing-resistant MFA with device-bound asymmetric credentials (passkeys) should be used to authenticate users across any operating system.
- Enforce verifier impersonation resistance: Recognizing that users will always click on malicious links, it’s important to implement solutions that do not rely on human perception to validate the legitimacy of access requests. The way to implement this is by programmatically verifying the origin of access requests and ensuring that they come from an authorized and legitimate service.
By replacing weak factors with strong, phishing-resistant MFA and removing the burden of authentication from human beings, organizations can achieve practical and complete defense against phishing and MFA bypass attacks like the one leveraged against Microsoft ADFS.