- A new Phishing scheme successfully grants most security tools
- Abuse the advertisements and services tool of the Microsoft Active Directory Federation
- It is designed to steal login credentials, so users must be careful
Cybercriminals have found an intelligent way to make phishing sites look like legitimate login pages, successfully stealing Microsoft credentials, experts have warned.
Push Security cybersecurity researchers recently published an in -depth report on how the scam works, describing how the attackers created false login pages that imitated the authentic login screens of Microsoft 365 session.
Then, instead of sending the victims directly to the site, which will probably be marked by safety solutions and quickly blocked, they used a Microsoft function called Active Directory Federation Services (ADFS). Companies usually use it to connect their internal systems to Microsoft services.
How to stay safe
When configuring your own Microsoft account and setting it with ADFS, the Microsoft service is fooled to redirect users to the Phishing site, while the link is legitimate because it begins with something like ‘outlook.office.com’.
In addition, the Phishing link was not being distributed by email, but rather evil. The victims were looking for “Office 265”, which presumably was a typographic error, and were then taken to a office login page. The announcement also used a false travel blog – Bluegraintours[.]com – Like an average step to hide the attack.
The way in which the entire campaign was established made it particularly dangerous. It seems that the link came from Microsoft, and many security tools were successful by verifying the bad links, its success rate was probably higher compared to the “traditional” phishing.
In addition, since it does not depend on email, the usual email filters could not catch it. Finally, the destination page could even avoid the authentication of multiple factors (MFA), which made it even more dangerous.
To prevent such scams from causing real damage, IT equipment must block ads, or at least monitor advertisement traffic, and observe the redirections of Microsoft’s login pages to unknown domains.
Finally, users must be careful when writing in terms of search: a simple typographic error can lead to a false advertisement that can result in a device commitment and the acquisition of the account.
Through Bleepingcomputer
