Hackers exploit Microsoft ADFS in phishing campaign targeting global organizations

A new phishing campaign is targeting organizations using Microsoft’s legacy Active Directory Federation Services (ADFS) to steal login credentials and bypass multi-factor authentication (MFA). Hackers create fake sign-in pages that closely resemble legitimate ADFS portals. The attackers use convincing emails that appear to come from trusted sources, often mimicking IT helpdesk notifications. They also obfuscate URLs to evade detection and dynamically incorporate the victim organization’s branding into the fake login pages. The campaign has affected over 150 organizations, particularly in the education sector, which is more vulnerable due to outdated technology and limited cybersecurity resources. Microsoft recommends transitioning to its modern identity platform, Entra, to enhance security.