- A new phishing scheme successfully bypasses most of the safety tools
- He abuses advertisements and the Service Tool of the Microsoft Active Directory Federation
- It is designed to steal connection identification information, so users must be careful
Cybercriminals have found an intelligent way to ensure that phishing sites resemble legitimate connection pages, successfully stealing Microsoft identification information, experts warned.
Push Security cybersecurity researchers recently published an in -depth report on the functioning of the scam, describing how attackers created false connection pages that imitated the Microsoft 365 authentic connection screens.
Then, instead of sending victims directly to the site, which would probably be reported by safety solutions and blocked quickly, they used Microsoft functionality called Active Directory Federy Services (ADF). Companies normally use it to connect their internal systems to Microsoft services.
How to stay safe
By configuring their own Microsoft account and configuring it with ADFS, Microsoft’s service is deceived to redirect users to the Phishing site, while making the link legitimate because it starts with something like “ Outlook.Office.com ”.
In addition, the phishing link was not distributed by e -mail, but rather – Malvertist. The victims were looking for “Office 265” which was probably a typo, then was taken to a connection page of the office. The announcement also used a false travel blog – Bluegraintours[.]com – like not in the middle to hide the attack.
The way the whole campaign was set up made him particularly dangerous. With the link that seemed to come from Microsoft, and it successfully circumvents many safety tools checking bad links – its success rate was probably higher than “traditional” phishing.
In addition, as it was not based on emails, the usual e-mail filters could not catch it. Finally, the destination page could even get around the multi-factor authentication (MFA), which made it even more dangerous.
In order to prevent such scams from causing real damage, IT teams must block ads, or at least monitor announcements traffic, and monitor redirects from Microsoft connection pages to unknown areas.
Finally, users must be cautious when entering research terms – a simple fault can lead to a false ad which can cause a compromise of the device and a takeover of the accounts.
Via Bleeping Compompute
