Microsoft 365 logins stolen via ADFS redirects in phishing campaign
Summary
Hide ▲
Show ▼
A phishing campaign has been observed using legitimate ADFS redirects to steal Microsoft 365 logins. The attackers exploit trusted Microsoft infrastructure to bypass URL-based detection and multi-factor authentication, redirecting users from legitimate office.com links to phishing pages. The campaign targeted multiple organizations, starting with malicious sponsored links in Google search results. The attackers set up a custom Microsoft tenant with ADFS configured, allowing them to receive authorization requests and authenticate users on the phishing page. The phishing site was disguised with fake blog posts and conditional loading restrictions to evade detection and ensure only valid targets accessed the phishing page.
Timeline
-
20.08.2025 18:33 1 articles · 1mo ago
Phishing campaign uses ADFS redirects to steal Microsoft 365 logins
A phishing campaign has been observed using legitimate ADFS redirects to steal Microsoft 365 logins. The attackers exploit trusted Microsoft infrastructure to bypass URL-based detection and multi-factor authentication. The campaign starts with malicious sponsored links in Google search results, redirecting users from legitimate office.com links to phishing pages. The attackers set up a custom Microsoft tenant with ADFS configured, allowing them to receive authorization requests and authenticate users on the phishing page. The phishing site is disguised with fake blog posts and conditional loading restrictions to evade detection.
Show sources
- Hackers steal Microsoft logins using legitimate ADFS redirects — www.bleepingcomputer.com — 20.08.2025 18:33
Information Snippets
-
The phishing campaign leverages legitimate office.com links to redirect users to phishing pages.
First reported: 20.08.2025 18:331 source, 1 articleShow sources
- Hackers steal Microsoft logins using legitimate ADFS redirects — www.bleepingcomputer.com — 20.08.2025 18:33
-
The attack starts with malicious sponsored links in Google search results for Office 365.
First reported: 20.08.2025 18:331 source, 1 articleShow sources
- Hackers steal Microsoft logins using legitimate ADFS redirects — www.bleepingcomputer.com — 20.08.2025 18:33
-
Attackers set up a custom Microsoft tenant with ADFS to facilitate the phishing redirects.
First reported: 20.08.2025 18:331 source, 1 articleShow sources
- Hackers steal Microsoft logins using legitimate ADFS redirects — www.bleepingcomputer.com — 20.08.2025 18:33
-
The phishing page is disguised with fake blog posts and conditional loading restrictions.
First reported: 20.08.2025 18:331 source, 1 articleShow sources
- Hackers steal Microsoft logins using legitimate ADFS redirects — www.bleepingcomputer.com — 20.08.2025 18:33
-
The campaign does not appear to target specific industries or job roles.
First reported: 20.08.2025 18:331 source, 1 articleShow sources
- Hackers steal Microsoft logins using legitimate ADFS redirects — www.bleepingcomputer.com — 20.08.2025 18:33
-
Microsoft ADFS has been previously used in phishing campaigns, but this method is novel.
First reported: 20.08.2025 18:331 source, 1 articleShow sources
- Hackers steal Microsoft logins using legitimate ADFS redirects — www.bleepingcomputer.com — 20.08.2025 18:33
-
Push Security recommends monitoring ADFS redirects and checking Google redirects for malicious domains.
First reported: 20.08.2025 18:331 source, 1 articleShow sources
- Hackers steal Microsoft logins using legitimate ADFS redirects — www.bleepingcomputer.com — 20.08.2025 18:33
Similar Happenings
RaccoonO365 Phishing Network Disrupted by Microsoft and Cloudflare
The RaccoonO365 phishing network, a financially motivated threat group, was disrupted by Microsoft's Digital Crimes Unit (DCU) and Cloudflare. The operation, executed through a court order in the Southern District of New York, seized 338 domains used by the group since July 2024. The network targeted over 2,300 organizations in 94 countries, including at least 20 U.S. healthcare entities, and stole over 5,000 Microsoft 365 credentials. The RaccoonO365 network operated as a phishing-as-a-service (PhaaS) toolkit, marketed to cybercriminals via a subscription model on a private Telegram channel. The group used legitimate tools like Cloudflare Turnstile and Workers scripts to protect their phishing pages, making detection more challenging. The mastermind behind RaccoonO365 is believed to be Joshua Ogundipe, who received over $100,000 in cryptocurrency payments. The group is also suspected to collaborate with Russian-speaking cybercriminals. Cloudflare executed a three-day 'rugpull' against RaccoonO365, banning all identified domains, placing interstitial 'phish warning' pages, terminating associated Workers scripts, and suspending user accounts to prevent re-registration.
SlopAds Fraud Ring Exploits 224 Android Apps for Ad Fraud
A sophisticated ad fraud operation, SlopAds, exploited 224 Android apps to generate 2.3 billion daily ad bids. The apps, downloaded 38 million times across 228 countries, used steganography and hidden WebViews to create fraudulent ad impressions and clicks. The fraud was conditional, activating only if the app was installed via an ad click. Google removed the offending apps from the Play Store and updated Google Play Protect to warn users. The operation leveraged AI-themed services and a complex command-and-control infrastructure. The fraudulent behavior was designed to evade detection by blending malicious traffic into legitimate campaign data. The SlopAds campaign was discovered by HUMAN's Satori Threat Intelligence team, which identified the apps as 'AI slop' due to their mass-produced appearance and AI-themed services. The apps used Firebase Remote Config to download an encrypted configuration file containing URLs for the ad fraud malware module, cashout servers, and a JavaScript payload. The campaign included numerous command-and-control servers and more than 300 related promotional domains, suggesting the threat actors planned further expansion.
Increased Browser-Based Attacks Targeting Business Applications
Browser-based attacks targeting business applications have surged, exploiting modern work practices and decentralized internet apps. These attacks, including phishing, malicious OAuth integrations, and browser extensions, compromise business apps and data by targeting users. The attacks leverage various delivery channels and evasion techniques, making them difficult to detect and block. Phishing attacks have evolved to use non-email channels such as social media, instant messaging apps, and malicious search engine ads. These attacks often bypass traditional email security controls and are harder to detect. Attackers exploit the decentralized nature of modern work environments, targeting users across multiple apps and communication channels. Non-email phishing attacks can result in significant breaches, as seen in the 2023 Okta breach. The rise in these attacks highlights the need for enhanced browser security measures and better visibility into user activities within the browser.
Axios and Direct Send Abuse in Microsoft 365 Phishing Campaigns
Threat actors are exploiting HTTP client tools like Axios and Microsoft's Direct Send feature to create highly efficient phishing campaigns targeting Microsoft 365 environments. These attacks, which began in July 2025, initially targeted executives and managers in finance, healthcare, and manufacturing sectors, but have since expanded to all users. The campaigns use compensation-themed lures to trick recipients into revealing credentials and bypassing multi-factor authentication (MFA). The abuse of Axios has surged, accounting for 24.44% of all flagged user agent activity from June to August 2025. The attacks leverage Axios to intercept, modify, and replay HTTP requests, capturing session tokens or MFA codes in real-time. This method allows attackers to bypass traditional security defenses and conduct phishing operations at an unprecedented scale. Additionally, a phishing-as-a-service (PhaaS) offering called Salty 2FA has been discovered, which steals Microsoft login credentials and sidesteps MFA by simulating various authentication methods. Salty 2FA uses advanced features such as subdomain rotation, dynamic corporate branding, and sophisticated evasion tactics to enhance its phishing campaigns. It also abuses legitimate platforms to stage initial attacks and uses Cloudflare Turnstile for secure CAPTCHA replacement. Salty2FA campaigns have been active since late July 2025 and continue to this day, generating dozens of fresh analysis sessions daily. The campaigns target industries including finance, healthcare, government, logistics, energy, IT consulting, education, construction, telecom, chemicals, industrial manufacturing, real estate, and consulting.
MostereRAT Malware Campaign Targets Japanese Windows Users
A new malware campaign using MostereRAT, a banking malware-turned-RAT, targets Japanese Windows users. The malware employs sophisticated evasion techniques, including the use of an obscure programming language and disabling of security tools, to maintain long-term access and control over compromised systems. The campaign begins with phishing emails that lure victims into downloading a malicious Word document. Once installed, MostereRAT deploys multiple modules to achieve persistence, privilege escalation, and remote access. The malware is designed to evade detection and disable various antivirus and endpoint detection and response (EDR) products, making it difficult for defenders to detect and mitigate the threat. The primary goal of MostereRAT is to maintain persistent control over compromised systems, maximize the utility of victim resources, and retain ongoing access to valuable data. The malware uses mutual TLS (mTLS) to secure command-and-control (C2) communications and can monitor foreground window activity associated with Qianniu - Alibaba's Seller Tool. It can also perform Early Bird Injection to inject an EXE into svchost.exe.