A sophisticated cyberattack campaign is targeting organizations that still rely on Active Directory Federation Services (ADFS) for authentication across applications and services.
The phishing campaign is exploiting Microsoft Active Directory Federation Services (ADFS) to bypass multifactor authentication (MFA) and take over user accounts, allowing threat actors to commit further malicious activities across networks that depend on the service for single sign on(SSO).
The phishing campaign is targeting about 150 organizations and mostly the education sector that rely on ADFS to authenticate across multiple on-premises and cloud-based systems as per researchers.
- The campaign uses spoofed emails that direct people to fake Microsoft ADFS log-in pages.
- These are personalized for the particular MFA setup used by the target.
- Once a victim enters credentials and an MFA code, attackers take over the accounts and are able to pivot to other services through the SSO function.
- The attackers appear to be carrying out a range of post-compromise activities, including reconnaissance, the creation of mail filter rules to intercept communications, and lateral phishing that targets other users in the organization.
Targeting the legacy SSO capability in ADFS, a function that’s “convenient for enterprise users,” can reap big dividends, observes Jim Routh, chief trust officer at security firm Saviynt. The feature was originally designed for use behind a firewall but is now more exposed because it’s increasingly been applied across cloud-based services, even though it was never designed for that, he notes.
Legacy Users at Risk
While the campaign targets various industries, organizations bearing the brunt of attacks — more than 50% — are schools, universities, and other educational institutions, the researchers said. “This highlights the attackers’ preference for environments with high user volumes, legacy systems, fewer security personnel, and often less mature cybersecurity defenses,” according to the report.
Other sectors targeted in the campaign that also reflect this preference include, in order of attack frequency: healthcare, government, technology, transportation, automotive, and manufacturing.
“This reliance is particularly prevalent in sectors with slower technology adoption cycles or legacy infrastructure dependencies — making them prime targets for credential harvesting and account takeovers,” according to the report.
Attackers in the campaign are spoofing Microsoft ADFS login pages to harvest user credentials and bypass MFA in a way that one longtime security professional says he hasn’t seen before.
While Microsoft and Abnormal Security both recommend that organizations transition to its modern identity platform, Entra for authentication, many organizations with less sophisticated IT departments still depend on ADFS making them vulnerable as per the researchers noted.
(Image courtesy: simplilearn)
