- A new phishing scheme successfully bypasses most security tools
- It abuses ads and Microsoft’s Active Directory Federation Services tool
- It is designed to steal login credentials, so users should take care
Cybercriminals have found a clever way to make phishing sites look like legitimate login pages, successfully stealing Microsoft credentials, experts have warned.
Cybersecurity researchers at Push Security recently published an in-depth report on how the scam works, outlining how the attackers created fake login pages that mimicked authentic Microsoft 365 sign-in screens.
Then, instead of sending victims directly to the site, which would probably get flagged by security solutions and quickly blocked, they used a Microsoft feature called Active Directory Federation Services (ADFS). Companies normally use it to connect their internal systems to Microsoft services.
How to stay safe
By setting up their own Microsoft account, and configuring it with ADFS, Microsoft’s service is tricked to redirect users to the phishing site, while making the link look legitimate because it starts with something like ‘outlook.office.com’.
Furthermore, the phishing link was not being distributed by email, but rather – malvertising. Victims were searching for “Office 265” which was presumably a typo, and were then taken to an Office login page. The ad also used a fake travel blog – bluegraintours[.]com – as a middle step to hide the attack.
The way the entire campaign was set up made it particularly dangerous. With the link looking like it was coming from Microsoft, and it successfully bypassing many security tools checking for bad links – its success rate was probably higher compared to “traditional” phishing.
Furthermore, since it doesn’t rely on email, the usual email filters couldn’t catch it. Finally, the landing page could even bypass multi-factor authentication (MFA), which made it even more dangerous.
In order to prevent such scams from causing any real harm, IT teams should block ads, or at least monitor ad traffic, and watch for redirects from MIcrosoft login pages to unknown domains.
Finally, users should be careful when typing in search terms – a simple typo can lead to a fake ad that can result in device compromise and account takeover.
Via BleepingComputer
