- Security Researchers Warning about the new Phishing campaign
- This abuse of Microsoft’s authentication system
- The objective is to steal confidential and credential data login
Cybercriminals are going through the services of the Microsoft Active Directory Directors Federation to steal people’s passwords, log in to their accounts and obtain any confidential information found there, experts have warned.
A new report by abnormal cybersecurity researchers Security pointed out how the attack begins with a Phishing email, impersonating IT team of the target company and affirming that the system has been updated and that all users need to authorize themselves again .
Obviously, the email also comes with a click button, which takes the victim to a phishing site that is identical to the real adfs login page of its organization.
Redirect victims
Microsoft’s Active Directory Federation Services is a single login (SSO) solution that allows users to access multiple applications using a single set of credentials. Extend Active Directory (AD) to provide federated identity management, allowing safe and safe authentication in different organizations, cloud services and applications.
This page requests login credentials and MFA codes.
“Phishing templates also include forms designed to capture the second specific factor required to authenticate the objective account, depending on the configured MFA configuration of the organization,” he said abnormal in the document.
“Abnormal observed templates aimed at multiple MFA mechanisms commonly used, including Microsoft authenticator, duo safety and SMS verification.”
When the victim writes in its login details, the destination page redirects them to the legitimate login page, to keep the trick. In the background, however, the attackers are already starting session, stealing confidential data, creating new email filter rules and trying to move laterally along the destination network.
Abnormal added that the campaign is mainly directed to organizations in education, health and public sector industries. Until now, some 150 organizations have been attacked, he added. The objective of the campaign does not seem to be espionage. Instead, it seems to be financially motivated.
