Hackers Use Fake ADFS Login Pages to Steal Credentials — Is Your Organization at Risk?

Security researchers have discovered a sophisticated phishing campaign targeting organizations that rely on Active Directory Federation Services (ADFS) for secure access. This attack has already compromised over 150 organizations across critical sectors, including healthcare, education, government, and technology.

Active Directory Federation Services (ADFS) is a software component that gives users sign-on (SSO) access to systems and applications. This service lets users log in once and gain access to multiple systems without needing to log in again. It leverages a claim-based authentication mechanism to verify user identities and supports federated identity management.

How do hackers exploit ADFS in this phishing campaign?

According to a new report from Abnormal Security, the attackers leverage spoofed ADFS sign-in pages to trick victims into entering their credentials and multifactor authentication (MFA) details like one-time passcodes (OTPs). This allows the attackers to gain unauthorized access to the victims’ accounts.

Abnormal Security mentioned that the success of the phishing campaign is largely due to the attacker’s ability to create very convincing phishing emails. These emails are designed to look like they come from trusted sources, such as the organization’s IT helpdesk. Typically, the attack starts with an email that appears to be an urgent notification from the IT department, which prompts the recipient to click on a link to initiate an urgent update.

Attackers disguise phishing email URLs to resemble legitimate ADFS links, making them harder to detect and prevent victims from growing suspicious. They also create fake login pages that closely mimic the official portals used by targeted organizations.

To make these pages appear authentic, hackers dynamically pull logos and branding elements from the real organization’s website. Additionally, they include forms designed to capture second-factor authentication details, such as codes from Duo Security, Microsoft Authenticator, and SMS verification.

Lastly, victims receive a message prompting them to approve a push notification or answer an automated call. They are then redirected to their organization’s legitimate sign-in page, reinforcing the illusion of authenticity. This tactic helps attackers complete the account takeover without raising suspicion.

Which sectors were targeted and how to protect against the attack?

The researchers observed that the attackers were engaged in several post-compromise activities, including lateral phishing, and mail filter creation. The phishing campaign was used to target more than 150 organizations across multiple regions, including the US, Canada, Europe, and Australia.

“By using non-obvious terms, the threat actors reduced the likelihood of security solutions or analysts identifying the filters as malicious,” Abnormal Security explained. “These tailored techniques ensured that any responses to lateral phishing emails were intercepted and deleted, preventing the mailbox owner from noticing malicious activity or incoming replies.”

Microsoft recommends that organizations migrate from ADFS to its Entra ID solution for better security. Additionally, administrators should shorten the lifespan of session tokens and multifactor authentication (MFA) codes to limit the chances of attackers exploiting stolen credentials. Blocking known phishing domains linked to this campaign is also advised to reduce security risks.