Researchers at Push Security have discovered a new phishing campaign that targets Microsoft 365 (M365) systems and uses Active Directory Federation Services (ADFS) to enable credential theft.
This attack vector exploits Microsoft’s authentication redirect mechanisms, effectively turning a legitimate service into a conduit for phishing operations.
Sophisticated Phishing Infrastructure
The campaign begins with malvertising lures distributed via Google search results, where users searching for terms like “Office 365” (often mistyped as “Office 265”) encounter sponsored links that masquerade as official Microsoft resources.
These ads, appended with Google tracking parameters, redirect victims through a chain that ultimately lands on a reverse-proxy phishing site designed to intercept sessions and bypass multi-factor authentication (MFA).
The phishing kit itself is unremarkable a standard Attacker-in-the-Middle (AitM) setup cloning Microsoft’s login page but the innovation lies in its delivery and evasion tactics, drawing from hands-on dissections of real-world kits targeting Push’s customers.
Central to this campaign is the abuse of ADFS, Microsoft’s single sign-on (SSO) solution for integrating on-premises Active Directory with cloud services like Azure AD and M365.
Technical Breakdown of the Redirect Chain
Attackers establish a custom Microsoft tenant configured with a malicious ADFS server, allowing them to insert a fake domain such as bluegraintours[.]com into the authentication flow.
This domain, disguised as a innocuous travel blog with AI-generated content including fabricated blog posts from pseudonymous authors like “John Doe” and “Jane Smith,” serves as an invisible redirector.
When victims click the malvertising link, they are funneled from outlook.office.com through this domain to the phishing endpoint (e.g., login-microsoftonline[.]offirmtm[.]com), with Microsoft itself performing the redirect via the /adfs/ls/ path.
This mimics legitimate tenant-specific landing pages, akin to SAMLjacking techniques where identity provider domains are poisoned to proxy authentication.
The setup evades URL-based detections by hosting on trusted third-party infrastructure, complicating automated scanners and proxy filters that rely on domain categorization.
Further evasion is achieved through conditional loading, where the phishing page only activates under specific conditions, such as valid user agents or geolocations; otherwise, analysts are looped back to office.com, thwarting static analysis.
Push’s timelines feature, which traces browsing chains including redirects, tabs, forms, and inputs, was instrumental in mapping this flow from the initial Google ad click to credential capture, revealing no direct phishing email involvement and highlighting the shift toward non-email delivery vectors like social media, instant messengers, or attachments.
This campaign underscores the evolving sophistication of phishing evasion, treating ADFS redirects as functional open redirects exploitable by any attacker capable of creating a Microsoft tenant a low barrier requiring only a credit card.
It parallels high-impact vulnerabilities like an open redirect in Outlook.com, amplifying risks in environments without robust monitoring.
For detection, organizations should scrutinize proxy logs for anomalous ADFS redirects from login.microsoftonline.com to unfamiliar domains with /adfs/ls/ paths, filtering out legitimate ones in ADFS-using setups.
According to the report, Monitoring Google redirects to office.com with ad parameters can flag malvertising variants, while browser-wide ad blockers mitigate this lure channel, though they fall short against broader delivery methods.
Broader recommendations include tool-agnostic hardening, such as enhanced threat intelligence feeds for emerging kits and behavioral analysis to detect AitM patterns beyond URLs.
As phishing evolves beyond email-centric defenses, integrating endpoint telemetry with comprehensive redirect chain visibility becomes essential to counter these research-driven threats, emphasizing the need for adaptive, multi-layered security postures in vulnerability research and threat intelligence workflows.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
