- Security researchers warning against a new phishing campaign
- This abuses Microsoft authentication system
- The objective is to steal sensitive data and connect identification information
Cybercriminals pretend to be Microsoft Active Directory Federation Services (ADF) to steal people’s passwords, connect to their accounts and enter all the sensitive information found there, have warned the experts.
A new report by Cybersecurity Researchers Abnormal Security noted how the attack begins with a phishing email, the identity of the identity of the computer team of the target company and claiming that the system has been upgraded And that all users must reappear.
Obviously, the email is also delivered with a clickable button, which brings the victim to a phishing site which seems identical to the real ADFS connection page of their organization.
Redirect the victims
Microsoft Active Directory Federation Services (AD FS) are a single connection solution (SSO) which allows users to access several applications using a single identification set. It extends Active Directory (AD) to provide federated identity management, allowing transparent and secure authentication between different organizations, cloud services and applications.
This page requires connection identification information and MFA codes.
“Phishing models also include forms designed to capture the second specific factor required to authenticate the target account, depending on the MFA parameters configured from the organization,” said abnormal in the document.
“Abnormal observed models targeting several commonly used MFA mechanisms, including Microsoft Authenticator, Duo Security and SMS Verification.”
When the victim hits into their connection details, the destination page redirects them to the legitimate connection page, to maintain the cunning. In the background, however, the attackers already connect, steal sensitive data, create new mail filter rules and try to move laterally throughout the target network.
Abnormal added that the campaign mainly targets organizations in the education, health care and public sector industries. Until now, around fifteen organizations have been targeted, he added. The goal of the campaign does not seem to be spying. Instead, it seems to be financially motivated.
