Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label ADFS. Show all posts
Microsoft
ADFS Cyber Security Lateral Phishing MFA Microsoft

Sophisticated Phishing Campaign Circumvents Microsoft's Multi Factor Authentication

 

A help desk phishing campaign uses spiofed login pages to target Microsoft Active Directory Federation Services (ADFS) within an organisation in order to obtain credentials and get around multi-factor authentication (MFA) protections. The campaign's main targets, as reported by Abnormal Security, are government, healthcare, and educational institutions; at least 150 targets were chosen in the attack. 

These assaults aim to infiltrate corporate email accounts to disseminate messages to additional victims within the organisation or launch financially driven attacks such as business email compromise (BEC), wherein payments are redirected to the perpetrators' accounts. 

Microsoft Active Directory Federation Services (ADFS) is an authentication system that enables users to log in once and then access various apps and services without having to enter their credentials again. It is often employed in large companies to enable single sign-on (SSO) for internal and cloud-based services. 

The perpetrators send emails to targets impersonating their company's IT team, requesting that they log in to update security settings or adopt new policies. When victims click on the embedded button, they are redirected to a phishing site that looks identical to their organization's actual ADFS login page. The phishing page prompts the victim to input their username, password, and MFA code or tricked them into approving the push notification. 

"The phishing templates also include forms designed to capture the specific second factor required to authenticate the targets account, based on the organizations configured MFA settings," reads Abnormal Security's report. "Abnormal observed templates targeting multiple commonly used MFA mechanisms, including Microsoft Authenticator, Duo Security, and SMS verification.” 

Once the victim has entered all of their information, they are sent to the real sign-in page, which reduces suspicion and gives the impression that the procedure was completed successfully. Meanwhile, the hackers use the stolen details to gain access into the victim's account, steal any valuable data, set up new email filter rules, and attempt lateral phishing.

According to Abnormal, the attackers in this campaign utilised Private Internet Access VPN to hide their location and assign an IP address that was closer to the organisation. Abnormal recommends that organisations move to modern and more secure solutions, such as Microsoft Entra, as well as add additional email filters and suspicious behaviour detection methods, to prevent phishing attempts.
Read more »
Windows
ADFS Microsoft Password Phishing Attacks Technology Windows

Hackers Steal Login Details via Fake Microsoft ADFS login pages

Microsoft ADFS login pages

A help desk phishing campaign attacked a company's Microsoft Active Directory Federation Services (ADFS) via fake login pages and stole credentials by escaping multi-factor authentication (MFA) safety.

The campaign attacked healthcare, government, and education organizations, targeting around 150 victims, according to Abnormal Security. The attacks aim to get access to corporate mail accounts for sending emails to more victims inside a company or launch money motivated campaigns such as business e-mail compromise (BEC), where the money is directly sent to the attackers’ accounts. 

Fake Microsoft ADFS login pages 

ADFS from Microsoft is a verification mechanism that enables users to log in once and access multiple apps/services, saving the troubles of entering credentials repeatedly. 

ADFS is generally used by large businesses, as it offers single sign-on (SSO) for internal and cloud-based apps. 

The threat actors send emails to victims spoofing their company's IT team, asking them to sign in to update their security configurations or accept latest policies. 

How victims are trapped

When victims click on the embedded button, it takes them to a phishing site that looks same as their company's authentic ADFS sign-in page. After this, the fake page asks the victim to put their username, password, and other MFA code and baits then into allowing the push notifications.

The phishing page asks the victim to enter their username, password, and the MFA code or tricks them into approving the push notification.

What do the experts say

The security report by Abnormal suggests, "The phishing templates also include forms designed to capture the specific second factor required to authenticate the targets account, based on the organization's configured MFA settings.” Additionally, "Abnormal observed templates targeting multiple commonly used MFA mechanisms, including Microsoft Authenticator, Duo Security, and SMS verification."

After the victim gives all the info, they are sent to the real sign-in page to avoid suspicious and make it look like an authentic process. 

However, the threat actors immediately jump to loot the stolen info to sign into the victim's account, steal important data, make new email filter rules, and try lateral phishing. 

According to Abnormal, the threat actors used Private Internet Access VPN to hide their location and allocate an IP address with greater proximity to the organization.  

Read more »
Subscribe to: Posts (Atom)