A new, sophisticated phishing campaign is exploiting Microsoft’s own infrastructure—Active Directory Federation Services (ADFS) and trusted office.com redirects—to harvest Microsoft 365 credentials. Malicious actors deploy malvertising, leading users from legitimate ads (e.g. for “Office 365”) through trusted Microsoft domains like outlook.office.com, before redirecting them to attacker-controlled phishing sites. By leveraging ADFS configurations within a valid Microsoft tenant, these redirects appear authentic to both users and security filters, enabling credential theft and even bypassing MFA protections. Security researchers urge organizations to closely monitor ADFS redirect chains, analyze Google ad parameters directing to office.com, and deploy enterprise-wide ad blockers as part of effective risk mitigation.
Sources: Bleeping Computer, Computing.co.uk, Cyber Security News
Key Takeaways
– The attack—dubbed “ADFSjacking”—abuses Microsoft’s ADFS infrastructure and valid redirects to masquerade phishing pages as authentic, thereby evading standard security tools.
– Conditional loading and intermediary domains (like faux travel blogs) further mask the redirection chain, returning non-target users to legitimate sites.
– Mitigation measures include monitoring for unusual ADFS redirects, inspecting Google ad traffic parameters for office.com, and deploying ad blockers and behavioral detection systems.
In-Depth
In a troubling escalation of cyber threats, attackers are now weaponizing Microsoft’s own identity infrastructure to probe and steal user credentials without drawing suspicion. Known as “ADFSjacking,” this strategy harnesses active directory federation services (ADFS) and trusted office.com redirects to construct a near-perfect phishing environment.
Users clicking on seemingly legitimate ads for Office 365 are funneled through outlook.office.com—giving the impression that everything is safe—before being funneled to cleverly masked credential-stealing pages. These redirects are made possible through attacker-controlled Microsoft tenants that orchestrate the redirection flow, manipulating ADFS to appear benign to security systems and users alike.
The sophistication is further evidenced by conditional loading: only the intended victim sees the phishing page, while others are harmlessly bounced back to the real Microsoft site. This stealth approach also taps into reverse-proxy techniques and token theft to sidestep multi-factor authentication.
Organizations must recalibrate their defenses accordingly: look for ADFS redirect chains targeting unknown domains, inspect Google ad-to-office.com traffic for suspicious parameters, enforce enterprise ad-blocking measures, and shift toward behavior-based detection tools that identify anomalies rather than relying solely on URL filtering. In the game of phishing, leveraging the trust of infrastructure yields powerful rewards for attackers—but informed vigilance can still level the playing field.