Hackers are using a novel technique that combines legitimate office.com links with Active Directory Federation Services (ADFS) to redirect users to a phishing page that steals Microsoft 365 logins.
The method lets attackers bypass traditional URL-based detection and the multi-factor authentication process by leveraging a trusted domain on Microsoft's infrastructure for the initial redirect.
Legitimacy of a trusted redirect
Researchers at Push Security, a company that provides protection solutions against identity-based attacks, analyzed a recent campaign that targeted several of its customers and redirected employees from a legitimate outlook.office.com link to a phishing website.
While the phishing page did not exhibit any special elements that would prevent its detection, the delivery method utilized trusted infrastructure to evade triggering security agents.
Push Security determined that the phishing attack started with the target clicking a malicious sponsored link in Google search results for Office 265 (likely a typo).
Clicking the malicious result would direct the target to Microsoft’s Office, which in turn redirected to another domain, bluegraintours[.]com, that further redirected to a phishing page set up to collect credentials.
Timeline of the phishing attack
source: Push Security
At first glance, getting to the malicious page appeared to have happened as a redirect from Microsoft’s office.com domain with no phishing email being involved.
... continue reading