Full Report
Hackers are using a novel technique that combines legitimate office.com links with Active Directory Federation Services (ADFS) to redirect users to a phishing page that steals Microsoft 365 logins. [...]
Analysis Summary
# Tool/Technique: ADFS-Assisted Phishing Redirects
## Overview
This describes a novel phishing technique that leverages legitimate Microsoft infrastructure, specifically Active Directory Federation Services (ADFS), to redirect victims from trusted links (like `office.com`) to attacker-controlled phishing websites designed to steal Microsoft 365 credentials. The technique aims to evade detection by hiding the malicious step within a chain of redirects originating from a trusted domain.
## Technical Details
- Type: Technique (Phishing Overlay/Redirect Chain)
- Platform: Microsoft 365 / Active Directory Federation Services (ADFS) environments.
- Capabilities: Bypassing URL-based detection by utilizing trusted domain redirects; circumventing MFA checks by leading users through a seemingly legitimate SSO flow.
- First Seen: Analysis detailed around August 20, 2025 (based on article date).
## MITRE ATT&CK Mapping
- [T1566 - Phishing]
- [T1566.002 - Spearphishing Link] (The initial trigger often involves a sponsored/malicious link)
- [T1078 - Valid Accounts]
- [T1078.004 - Cloud Accounts] (Goal is credential theft)
- [T1557 - Man-in-the-Middle]
- [T1557.005 - Man-in-the-Browser] (While not strictly MiTB, the redirect chain acts as an intermediary layer to steal credentials)
## Functionality
### Core Capabilities
- **Initial Access:** Victims click a malicious sponsored link (malvertising) often related to Office 365 search results.
- **Trusted Redirect Chain:** The click leads to a legitimate Microsoft domain (`office.com`), which then redirects to an attacker-controlled domain (`bluegraintours[.]com`).
- **ADFS Abuse:** The attacker has set up a custom Microsoft tenant where they configured ADFS. This allows the attacker's domain (`bluegraintours[.]com`) to act as an IAM provider, receiving authorization requests meant for the legitimate Microsoft login mechanism.
- **Credential Capture:** The final destination is a phishing page designed to collect Microsoft 365 login credentials.
### Advanced Features
- **Evasion via Legitimacy:** The use of a redirect chain starting from `office.com` evades security agents expecting to see phishing links immediately.
- **Content Cloaking:** The intermediate domain (`bluegraintours[.]com`) is filled with fake, legitimate-looking content (like blog posts) to appear benign to automated scanners.
- **Conditional Loading:** The phishing page only serves credentials harvesting prompts to targets deemed valid by the attacker; invalid targets are automatically redirected back to the legitimate `office.com`.
## Indicators of Compromise
- File Hashes: N/A (Technique-focused)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators:
- Initial Malicious Redirect Domain: `bluegraintours[.]com` (Defanged)
- Behavioral Indicators:
- Observing redirects originating from `office.com` or related Microsoft domains that subsequently land on an external, non-Microsoft infrastructure before reaching the final destination.
- Detection of user authorization requests being proxied or initiated by non-corporate/unknown identity providers (IAM providers) in the ADFS logs.
## Associated Threat Actors
- Unspecified group experimenting with novel techniques.
- Mentioned in context similar to groups like Shiny Hunters and Scattered Spider due to experimental approach involving trusted links.
## Detection Methods
- **Signature-based detection:** Limited due to the use of legitimate initial URLs.
- **Behavioral detection:** Monitoring for unusual redirect chains where trust is established by a legitimate domain (`office.com`) but ownership shifts to unknown external domains configured to interact with ADFS endpoints.
- **YARA rules if available:** N/A
## Mitigation Strategies
- **Monitor ADFS Redirects:** Implement monitoring to watch for ADFS redirects pointing to known malicious locations or domains that should not logically be involved in the authentication flow.
- **Review Ad Parameters:** Enterprises should check the advertisement (ad) parameters found in Google redirects pointing towards `office.com` environments, as these parameters might expose the malicious underlying domains.
- **Encourage Azure AD Migration:** Continue encouraging migration away from legacy ADFS configurations toward Azure Active Directory for identity and access management (IAM).
- **User Training:** While technical controls are primary, user familiarity with validating the start and end points of complex MFA/SSO redirects remains important.
## Related Tools/Techniques
- Standard ADFS abuse techniques used previously for credential theft.
- Malvertising campaigns targeting search results for enterprise software login pages.
- Shiny Hunters and Scattered Spider methodology (in terms of experimental exploitation).