Hackers are targeting organizations relying on Microsoft Active Directory Federation Services (ADFS) by setting up fake login portals that mimic legitimate corporate authentication pages.
Security firm Abnormal Security reports that this phishing campaign has compromised accounts in over 150 organizations, with victims primarily in education, healthcare, and government agencies.
The attack works by luring employees to counterfeit login sites that mirror their company’s ADFS authentication page.
Users are tricked into entering their credentials and multi-factor authentication (MFA) codes, allowing attackers to gain real-time access to corporate accounts. Once inside, cybercriminals conduct financial fraud, spread phishing attacks internally, and manipulate email settings to evade detection.
Fake ADFS Login Pages Exploit Familiar Authentication Flows
ADFS allows organizations to implement single sign-on (SSO), enabling users to log in once and access multiple applications without re-entering their credentials. While Microsoft is shifting focus to Microsoft Entra ID, many enterprises continue using ADFS, making it an attractive target for attackers.
Phishing emails in this campaign appear to originate from a company’s IT department, urging employees to log in to confirm security updates or policy changes. The included links lead to a login page that is visually identical to the organization’s actual ADFS portal, complete with company branding and domain structure designed to appear legitimate.
Once an employee enters their credentials, the phishing site requests MFA authentication, whether through push notifications, SMS codes, or one-time passwords (OTP).
The attackers capture these details in real time and immediately use them to complete authentication on the real ADFS system. To avoid raising suspicion, victims are redirected to the legitimate login page after submitting their credentials.
According to Abnormal Security, “The phishing templates also include forms designed to capture the specific second factor required to authenticate the target’s account, based on the organization’s configured MFA settings.” The firm observed phishing pages configured to capture authentication details for services such as Microsoft Authenticator, Duo Security, and SMS verification.
Attackers Use Stolen Credentials for Internal Phishing and Financial Fraud
Once inside a compromised account, cybercriminals act quickly. Many use their access to launch business email compromise (BEC) attacks, impersonating executives or finance team members to request fraudulent wire transfers. Others spread phishing emails internally, leveraging the trust associated with an authenticated corporate account to trick additional employees.
Attackers also manipulate email settings to cover their tracks. Many create new filtering rules that automatically delete security notifications or emails that could alert victims to unauthorized access. These tactics allow cybercriminals to maintain prolonged access to breached accounts without detection.
To further evade security monitoring, attackers disguise their login attempts using VPN services such as Private Internet Access (PIA). This enables them to make their logins appear as if they originate from the victim’s usual geographic location, reducing the likelihood of triggering security alerts.
Microsoft Urges Organizations to Transition to Entra ID
Microsoft has been encouraging enterprises to migrate from ADFS to Microsoft Entra ID to enhance security against phishing-based attacks. Unlike ADFS, Entra ID offers phishing-resistant authentication methods, such as passwordless logins and hardware security keys.
Security experts warn that federated authentication systems like ADFS are particularly vulnerable to phishing campaigns because they rely on user trust in familiar login workflows. Similar attack strategies have been observed in Microsoft Teams phishing scams, where hackers impersonated IT staff to trick users into granting unauthorized access.
Additionally, a recent Fortra report found that attackers increasingly rely on legitimate cloud infrastructure to host phishing pages. By leveraging services such as Cloudflare Pages and Cloudflare Workers, cybercriminals can create malicious login portals that evade security filters.
Another emerging trend is the increasing use of artificial intelligence in phishing campaigns. A Netskope analysis found that AI-driven phishing has led to a sharp rise in successful attacks by improving the quality and personalization of fraudulent emails.
Education, Healthcare, and Government Sectors Are Prime Targets
The current phishing campaign has disproportionately affected the education sector, with over 50% of reported incidents targeting universities, schools, and research institutions. Many of these organizations still rely on ADFS due to legacy infrastructure and budget constraints, making them slower to adopt modern authentication solutions like Microsoft Entra ID.
Government agencies, which account for 12.5% of attacks, and healthcare providers (14.8%) also face similar challenges. These sectors handle sensitive personal and financial data, making them attractive targets for credential theft and ransomware operators.
Attackers often exploit the fact that security teams in these industries face bureaucratic hurdles and resource limitations, delaying necessary upgrades to authentication systems.
Meanwhile, technology firms (6.3%) and transportation companies (3.4%) have also been affected, likely due to their reliance on cloud-based collaboration platforms and extensive supply chain networks, which introduce additional security risks.
The shift toward phishing-based credential theft aligns with a broader trend in modern cyberattacks. Rather than deploying malware or brute-force password attacks, hackers increasingly rely on deception, social engineering, and abuse of legitimate infrastructure.
Mitigation Strategies: How Organizations Can Strengthen Security
Given the growing frequency of identity-based phishing attacks, cybersecurity experts recommend organizations take a multi-layered approach to authentication security.
First and foremost, enterprises still using ADFS should transition to Microsoft Entra ID, which offers phishing-resistant authentication features such as passwordless sign-ins and hardware security keys.
Implementing advanced email security solutions is also essential. AI-driven phishing detection tools can analyze sender behavior, identify anomalies, and block malicious messages before they reach employees. Security teams should also enforce stricter rules on URL filtering, as attackers frequently modify links to evade traditional security measures.
Monitoring authentication activity for anomalies is another key defense strategy. Security awareness training remains a critical component of any phishing defense strategy. Employees should be educated on how to identify phishing attempts, scrutinize URLs before entering credentials, and verify unusual login requests with their IT department.
Zero-trust security frameworks, which require continuous verification of users and devices rather than relying on static login credentials, are expected to become the new standard for enterprise authentication. The industry is also exploring AI-driven security solutions that can proactively detect and respond to authentication fraud in real time.
While phishing campaigns targeting ADFS have been highly successful, their effectiveness relies on organizations failing to modernize their authentication systems. Enterprises that delay migration to more secure authentication platforms will remain vulnerable to identity-based cyberattacks.
