Hackers Targeted Microsoft ADFS Logins for Six Years to Steal Info

For years, cybercriminals have been targeting Microsoft’s Active Directory Federation Services (ADFS), compromising sensitive data across education, healthcare, and government institutions.

At least 150 organizations have been affected by this phishing campaign according to research from cybersecurity firm Abnormal Security. Attackers use fake login pages that closely resemble legitimate ADFS portals, tricking users into entering their credentials and multi-factor authentication (MFA) codes, which are then used to access internal systems.

ADFS, a single sign-on (SSO) system used by large organizations to grant access to multiple applications with one login, has become a prime target due to its widespread use and outdated security protections in some environments. Attackers send phishing emails posing as IT support, warning users about security updates or policy changes.

These messages contain links leading to spoofed ADFS login pages. When victims enter their credentials, the hackers collect the data and immediately use it to log in, steal files, modify email filters, and launch further attacks. BleepingComputer highlighted that the phishing templates are tailored to capture different types of MFA security methods, including Microsoft Authenticator, Duo Security, and SMS verification codes.

“Abnormal [Security] observed templates targeting multiple commonly used MFA mechanisms,” the company stated in its report. To avoid detection, the attackers then redirect victims to a legitimate login page, making them believe the process was successful. The education sector has been hit the hardest, accounting for over half of the affected organizations.

Other impacted industries include healthcare, government, technology, transportation, and manufacturing. Security experts warn that legacy IT systems and slower adoption of modern authentication methods make these organizations attractive targets. Cybercriminals appear to be financially motivated rather than engaging in espionage, often using stolen credentials for business email compromise (BEC) schemes to divert payments to fraudulent accounts.

Jim Routh, chief trust officer at Saviynt, explained that ADFS was originally designed for on-premises use but has since been extended to cloud services, making it more vulnerable to exploitation. Recent reports also highlight how Microsoft Azure and other cloud services have been exploited in cybercriminal campaigns to spread disinformation and distribute malware.