A help desk phishing campaign uses spiofed login pages to target Microsoft Active Directory Federation Services (ADFS) within an organisation in order to obtain credentials and get around multi-factor authentication (MFA) protections. The campaign's main targets, as reported by Abnormal Security, are government, healthcare, and educational institutions; at least 150 targets were chosen in the attack.
These assaults aim to infiltrate corporate email accounts to disseminate messages to additional victims within the organisation or launch financially driven attacks such as business email compromise (BEC), wherein payments are redirected to the perpetrators' accounts.
Microsoft Active Directory Federation Services (ADFS) is an authentication system that enables users to log in once and then access various apps and services without having to enter their credentials again. It is often employed in large companies to enable single sign-on (SSO) for internal and cloud-based services.
The perpetrators send emails to targets impersonating their company's IT team, requesting that they log in to update security settings or adopt new policies.
When victims click on the embedded button, they are redirected to a phishing site that looks identical to their organization's actual ADFS login page. The phishing page prompts the victim to input their username, password, and MFA code or tricked them into approving the push notification.
"The phishing templates also include forms designed to capture the specific second factor required to authenticate the targets account, based on the organizations configured MFA settings," reads Abnormal Security's report. "Abnormal observed templates targeting multiple commonly used MFA mechanisms, including Microsoft Authenticator, Duo Security, and SMS verification.”
Once the victim has entered all of their information, they are sent to the real sign-in page, which reduces suspicion and gives the impression that the procedure was completed successfully. Meanwhile, the hackers use the stolen details to gain access into the victim's account, steal any valuable data, set up new email filter rules, and attempt lateral phishing.
According to Abnormal, the attackers in this campaign utilised Private Internet Access VPN to hide their location and assign an IP address that was closer to the organisation.
Abnormal recommends that organisations move to modern and more secure solutions, such as Microsoft Entra, as well as add additional email filters and suspicious behaviour detection methods, to prevent phishing attempts.