A new phishing campaign is exploiting Microsoft’s legacy ADFS identity solution to steal credentials and bypass MFA

Hackers are targeting organizations around the world that rely on Microsoft’s Active Directory Federation Services (ADFS) secure access system in an ongoing phishing campaign, according to new research.

Analysis from Abnormal Security describes how Microsoft’s ADfS, a legacy single-sign-on (SSO) solution that allows employees to use one set of credentials to authenticate across multiple applications and environments, is being mimicked by hackers to gain access to corporate networks.

The attackers use spoofed ADfS sign-in pages to trick victims into entering these credentials, as well as any second-factor authentication details used in for additional protection, such as one-time pass codes (OTPs).

Abnormal stated that the campaign’s success has been driven by the attackers’ use of highly convincing phishing techniques including making their phishing emails appear as if they were sent from trusted entities.

For example, the attack tends to begin with an email designed to appear as a notification from the organization’s IT helpdesk, informing the recipient of an urgent update they need to initiate using a link provided in the message.

The URLs included in the emails were also obfuscated, mimicking the familiar link structure of legitimate ADfS links, helping them pass some link verification checks and not raise the victim’s suspicion.

The fake login pages were also specifically crafted to be identical to the official portal used by the victim’s organization.

Abnormal added that these pages dynamically pull the respective organization’s logo from its legitimate website and incorporate specific branding elements such as relevant colors and imagery.

According to the organization’s MFA protocol, the phishing template includes forms designed to steal the specific second factor required to authenticate the victim’s account, including Microsoft Authenticator, Duo Security, and SMS verification.

Finally, targets are sent a message telling them they might need to approve a push notification or answer an automated call, which redirects the target to an official sign-in page further reducing their suspicion and completing the account takeover.

Education sector heavily targeted due to reliance on legacy tech

Abnormal observed a range of post-compromise activities, many of which are associated with financially-motivated attacks, including mail filter creation, lateral phishing, and further reconnaissance.

The mail filters were often named ‘recommended’ or based on the target’s name to avoid detection, and used obfuscated keywords such as ‘hish’ instead of ‘phish’ or ‘elpdes’ instead of ‘help desk’.

“By using non-obvious terms, the threat actors reduced the likelihood of security solutions or analysts identifying the filters as malicious,” Abnormal explained.

“These tailored techniques ensured that any responses to lateral phishing emails were intercepted and deleted, preventing the mailbox owner from noticing malicious activity or incoming replies.”

The report noted the campaign was used to target over 150 organizations in the US, Canada, Australia, and Europe. The targets occupied a range of industries but the campaign disproportionately attacked those in the education sector such as schools and universities, who received over 50% of the total number of attacks.

Abnormal said Microsoft advises that organizations transition to its modern identity platform, Entra, speculating that attackers are exploiting the fact that many organizations still rely on its legacy ADFS system.

“This reliance is particularly prevalent in sectors with slower technology adoption cycles or legacy infrastructure dependencies—making them prime targets for credential harvesting and account takeovers,” the report suggested.

It added that educational organizations often exhibit less mature cybersecurity defenses, and feature environments with high user volumes, legacy technology, and fewer security personnel due to budget constraints, making them ideal targets.

Abnormal’s findings highlight that even more advanced security layers such as MFA can be bypassed using sophisticated social engineering. The firm emphasized this demonstrates that they adopt a multi-layered approach to cyber defense.

This would include robust defenses such as advanced email filtering and behavior monitoring, boosting user awareness of potential threat tactics, and transitioning to modern platforms and instead of relying on legacy systems for critical functions like secure access.