ADFSJacking: Phishing via Legitimate Office.com Redirects

A new phishing method leverages Microsoft’s Active Directory Federation Services (ADFS) to redirect users from legitimate office.com URLs to credential-harvesting sites. Attackers create fake Microsoft tenants with ADFS enabled, allowing them to bypass URL-based detections by using trusted domains and complex redirect chains. This specific campaign uses malvertising, targeting users who accidentally search for misspelled terms like “Office 265” and click on promoted search results.

Severity Level: High

Attack Summary

The campaign uses a reverse-proxy phishing kit to intercept and steal user credentials and session cookies – including those protected by multi-factor authentication (MFA). However, the novelty lies in how the phishing page is delivered:

• Attackers created a fake Microsoft 365 tenant and configured ADFS on it.
• A user searching for “Office 265” on Google clicked a malicious Google ad.
• That ad redirected the user through a fake blog site (bluegraintours[.]com) before reaching the phishing site at a domain like login-microsoftonline[.]offirmtm[.]com.
• Microsoft’s legitimate outlook.office.com URL performed the final redirect – giving the attack a facade of authenticity and trust.

Infrastructure Components

• Phishing Domain: login-microsoftonline[.]offirmtm[.]com
• Redirect Domain: bluegraintours[.]com (fake site)
• Initial Legitimate Entry Point: outlook.office.com
• ADFS Path: /adfs/ls/ – Used to trigger redirection from Microsoft to attacker domain

Implications

• Bypasses email filters, as the phishing URL is not directly delivered via email.
• Legitimate Microsoft domains are weaponized for initial redirects, making detection harder.
• High evasion rate for traditional security tooling reliant on URL scanning or domain reputation.

Recommendations

1. Monitor for ADFS redirects in proxy logs that could be malicious, i.e. login.microsoftonline.com redirecting to another domain with /adfs/ls/ in the path.
2. Disable ADFS where unnecessary.
3. Maintain a strict allowlist of trusted ADFS domains.
4. Deploy browser-based ad blockers enterprise-wide.
5. Block domains like bluegraintours[.]com and offirmtm[.]com

Source:

• https://pushsecurity.com/blog/phishing-with-active-directory-federation-services/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.