Full Report
A sophisticated phishing campaign targeting Microsoft ADFS has been observed, affecting more than 150 organizations
Analysis Summary
# Incident Report: ADFS MFA Bypassing Phishing Campaign
## Executive Summary
A sophisticated, multi-stage phishing campaign was observed targeting organizations utilizing Microsoft Active Directory Federation Services (ADFS) for Single Sign-On (SSO). Attackers deployed highly convincing, customized spoofed ADFS login pages designed to harvest user credentials *and* active Multi-Factor Authentication (MFA) codes, leading directly to account takeover and subsequent financial fraud or lateral phishing. The primary response focused on user education and recommending migration away from the vulnerable ADFS infrastructure.
## Incident Details
- Discovery Date: February 4, 2025 (Date of report/research publication by Abnormal Security)
- Incident Date: Ongoing campaign, observed prior to February 2025.
- Affected Organization: Over 150 organizations targeted globally.
- Sector: Education (over 50%), Healthcare (14.8%), Government (12.5%), Technology (6.3%), Transportation (3.4%).
- Geography: US, Canada, Australia, and Europe.
## Timeline of Events
### Initial Access
- Date/Time: Not explicitly stated, but occurred prior to the February 4, 2025 report.
- Vector: Highly customized spear-phishing emails targeting ADFS users.
- Details: Emails appeared to originate from the organization’s IT department, directing users to a spoofed ADFS login page.
### Lateral Movement
- Details: After account takeover, attackers reportedly conducted "lateral phishing" (sending further malicious emails from the compromised account) and performed financial fraud.
### Data Exfiltration/Impact
- Details: Successful account takeover following MFA bypass, leading to access for lateral phishing and financial fraud attempts.
### Detection & Response
- Detection: Disclosed by cybersecurity researchers at Abnormal Security.
- Response Actions: The report focused on recommendations rather than specific organizational containment actions, emphasizing security awareness training and platform migration.
## Attack Methodology
- Initial Access: **Phishing** via spoofed emails directing users to customized ADFS login pages.
- Persistence: Not explicitly detailed, but account takeover grants access.
- Privilege Escalation: Not explicitly detailed, but successful access to SSO infrastructure is the primary goal.
- Defense Evasion: **Customization of phishing pages** to perfectly mirror the target organization's MFA setup, increasing user believability.
- Credential Access: Harvesting of **Username, Password, and MFA Codes** simultaneously via the fake login portal.
- Discovery: Not applicable (Direct attack vector).
- Lateral Movement: **Lateral Phishing** (sending further malicious emails from the compromised account).
- Collection: Implied collection of sensitive access data for fraud.
- Exfiltration: Not explicitly detailed, implied financial fraud execution.
- Impact: **Financial Fraud** and unauthorized access.
## Impact Assessment
- Financial: Attempts at financial fraud were reported as an outcome.
- Data Breach: Credentials and active MFA tokens were stolen. Extent of further data compromise is not quantified.
- Operational: Potential disruption due to account compromise and subsequent fraudulent activities.
- Reputational: Risk associated with successful large-scale phishing campaigns against various critical sectors.
## Indicators of Compromise
- Network indicators: Not provided/defanged (Specific URLs for phishing sites not listed).
- File indicators: None provided.
- Behavioral indicators: Users entering credentials and MFA codes into a seemingly legitimate ADFS login page that is actually externally hosted.
## Response Actions
*Containment/Eradication/Recovery*: Specific organizational actions are not detailed in the source material. Recommendations focus on proactive security hardening.
## Lessons Learned
- Legacy authentication systems like ADFS present significant and persistent risk, especially when MFA is integrated at that layer.
- Attackers are employing highly tailored social engineering (customized phishing pages matching MFA configurations) instead of brute-force urgency tactics.
- MFA codes are vulnerable if collected in real-time via a proxy relay or credential-harvesting page, circumventing the protection.
## Recommendations
- **Platform Migration:** Organizations must prioritize migrating from legacy ADFS infrastructure to modern identity solutions such as Microsoft Entra, which offer stronger, integrated security controls.
- **Security Awareness:** Enhance employee training to focus specifically on subtle social engineering cues, psychological manipulation, and how to independently verify the authenticity of login prompts (even those appearing internal).
- **Advanced Detection:** Implement AI-powered email filtering and behavioral monitoring to detect sophisticated phishing landing pages and unusual credential submission patterns.