A novel and highly tricky phishing campaign is actively stealing Microsoft 365 credentials by exploiting Microsoft’s own Active Directory Federation Services (ADFS) to redirect users from legitimate office.com links to malicious login pages.
The technique, identified by researchers at the cybersecurity firm Push Security, marks a significant evolution in phishing attacks, effectively bypassing both user vigilance and traditional security filters.
The attack leverages a combination of malvertising and a clever abuse of Microsoft’s infrastructure. Instead of relying on suspicious emails, the attackers place malicious ads on search engines.
A user searching for “Office 365” might click a seemingly legitimate ad that directs them to a genuine outlook.office.com URL. However, this URL is specially crafted to trigger an exploit.
At the heart of the scheme is the abuse of ADFS, a Microsoft feature that facilitates single sign-on (SSO) by connecting an organization’s local directory with cloud services.
The threat actors set up their own Microsoft tenant and configured its ADFS settings to redirect authentication requests to a phishing domain they control.
This manipulation forces Microsoft’s own servers to send the unsuspecting victim from the trusted office.com domain to a perfect, pixel-for-pixel replica of the Microsoft login page, Push Security said.
“This is basically the equivalent to Outlook.com having an open redirect vulnerability,” noted a researcher from Push in their analysis.
.webp "Hackers Weaponize Active Directory Federation Services and office.com to Steal Microsoft 365 logins 3")
This “ADFSjacking,” as it has been dubbed, is potent because the initial redirect originates from a trusted Microsoft source, making it nearly impossible for URL-based security tools and wary users to detect the threat.
.webp "Hackers Weaponize Active Directory Federation Services and office.com to Steal Microsoft 365 logins 4")
The investigation revealed a multi-stage redirect chain designed for evasion. After clicking the malicious ad, the user’s browser is invisibly passed through an intermediary domain, in one case, a fake travel blog, before landing on the final phishing site.
This intermediary step is designed to fool automated domain categorization tools, which might classify the link as harmless, allowing it to pass through web filters.
Once on the fake login page, which functions as an Attacker-in-the-Middle (AitM) proxy, any credentials entered are immediately captured. This method also allows attackers to steal session cookies, enabling them to bypass multi-factor authentication (MFA) protections and gain full access to the victim’s account.
This campaign highlights a troubling trend where attackers are shifting their delivery methods away from email to channels like malvertising, social media, and instant messaging, thereby sidestepping robust email security gateways.
To mitigate this threat, security experts recommend organizations monitor their network logs for unusual ADFS redirects, particularly those leading to unfamiliar domains.
Filtering for Google Ad parameters in traffic directed to office.com can also help identify this specific malvertising technique. For end-users, deploying a reputable ad blocker across all web browsers remains a critical defense against the initial lure.
Safely detonate suspicious files to uncover threats, enrich your investigations, and cut incident response time. Start with an ANYRUN sandbox trial →
