Hackers exploit Microsoft’s ADFS to craft authentic-looking login links that slip past defenses.
Key Takeaways:
Cybercriminals have found a clever new way to exploit Active Directory Federation Services (ADFS) and generate legitimate-looking Office.com URLs that secretly redirect users to phishing sites. This tactic not only makes the malicious links appear trustworthy but also allows attackers to slip past traditional security filters with ease.
Active Directory Federation Services (ADFS) is a solution that enables secure identity sharing across different systems and organizations. It allows users to log in to multiple applications using a single set of credentials by implementing single sign-on (SSO). Microsoft has been encouraging organizations to transition from ADFS to Microsoft Entra ID (formerly Azure AD) for identity and access management because it offers a more modern, cloud-based approach.
According to the researchers at Push Security, this campaign exploits how Microsoft handles authentication redirects with Active Directory Federation Services (ADFS). An attacker sets up a fake Microsoft 365 tenant using ADFS and creates a legitimate-looking Microsoft login URL that redirects users to a malicious site.
This site, which is often delivered through deceptive ads (malvertising), mimics the real Microsoft login page using a reverse proxy. When users enter their credentials, the attacker captures them along with session cookies, which allows them to bypass multi-factor authentication and gain unauthorized access. The URLs appear authentic and originate from trusted Microsoft domains, which makes this attack particularly dangerous. This makes the URLs difficult for users and security tools to detect as phishing.
“From what we’ve seen this appears to be a group experimenting with novel techniques to get users to click highly trusted links to fairly standard phishing kits – in the same vein as groups like Shiny Hunters and Scattered Spider have been seen doing,” explained Jacques Louw, co-founder and CPO at Push Security.

To defend against ADFS-based phishing attacks, organizations should focus on both infrastructure security and user behavior. It’s important to monitor authentication redirects and restrict which domains can be used in ADFS configurations. Microsoft also recommends using modern identity solutions like Entra ID with conditional access policies to improve security.
Furthermore, organizations should train employees to recognize suspicious login flows and avoid clicking on Google ads for accessing services like Office 365. It’s also advised to add browser-based phishing detection tools and enforce multi-factor authentication with secure token handling to further reduce the risk of credential theft.