Phishing Intelligence

Phishing Alert: Attackers Targeting Organizations That Use Microsoft ADFS for Single Sign-On

by

A new phishing campaign is targeting organizations that rely on Microsoft ADFS for single sign-on. Attackers send emails posing as IT staff, urging recipients to click on fake ADFS login links, in an attempt to steal credentials.

The incident

Cyber criminals are increasingly targeting organizations that use ADFS. It is a service by Microsoft that allows users to access multiple applications with one set of login credentials. Attackers start by sending phishing emails disguised as IT team. These emails often contain urgent messages about security updates or policy changes and include links to fraudulent ADFS login pages.

What makes this campaign particularly dangerous is that attackers use sophisticated techniques to make these links appear legitimate. The URLs closely mimic real ADFS login pages, bypassing security tools and deceiving users into thinking they are on a trusted ADFS login page.

Once a user clicks the link, they are taken to a fake login portal that looks nearly identical to the real one. Many unsuspecting users enter their credentials and MFA codes, unknowingly giving attackers full access to their accounts.

Phishing Alert Attackers Targeting Organizations That Use Microsoft ADFS for Single Sign-On

How to spot the phishing email?

Download

Impact of the incident

Once attackers gain control of an account, they can infiltrate corporate networks, steal sensitive data, and carry out financially motivated cyber attacks. So far, over 150 organizations across industries including education, healthcare, government, and technology have been affected. Educational institutions account for more than 50% of the attacks due to large number of users and their reliance on legacy systems.

How to stay safe?

  • Be cautious of emails claiming to be from IT, especially those with urgent security updates or policy changes. Confirm directly with your IT team if unsure.
  • Access login portals by typing the official URL into your browser instead of clicking email links.
  • Hover over links without clicking and watch out for slight differences in the URL structure.
  • Ensure Multi-Factor Authentication (MFA) settings are up to date and monitor for unauthorized login attempts.

Source

Hackers Exploits ADFS to Bypass MFA & Gain Access to Critical Systems

Authors

Anagha Anilkumar

Talk to us

Pick a convenient time slot and book a free call with our cyber security experts.

Book a Demo
A customer success team member at work.
Solutions

Assess

Train

Analyze

Use Cases

Short Awareness

Annual Awareness

Customizing A Course

Data Protection & Privacy

Security Awareness Month

Company

About

Careers

Help

FAQs

Resources

Videos

Articles

Infographics

Free Downloads

ISO/IEC 27001 Certified

©️ 2025 Security Quotient Pvt Ltd.

Privacy

Terms

Sitemap