Exclusive: Inside the six-year phishing attack targeting Microsoft tool
Add Axios as your preferred source to
see more of our stories on Google.
Illustration: Sarah Grillo/Axios
A phishing campaign that's gone undetected for at least six years is targeting customers of Microsoft's legacy single sign-on application, according to a new report from Abnormal Security, exclusively shared with Axios.
Why it matters: The campaign has targeted more than 150 organizations across education, healthcare, government and technology sectors, and it relies on social engineering rather than a patchable security flaw.
How it works: Attackers trick employees at companies using Microsoft's Active Directory Federation Services (ADFS) into handing over login credentials and multi-factor authentication (MFA) codes.
- Victims receive phishing emails disguised as IT security updates.
- Clicking the link redirects them to a near-identical fake ADFS login page.
- They enter their credentials and MFA codes, unknowingly giving attackers access.
What they're saying: "It's been running since 2018 pretty much without big changes to the underlying infrastructure," Piotr Wojtyla, head of threat intel and platform, at Abnormal Security, told Axios.
Zoom in: The campaign has not been attributed to a specific threat actor, but Wojtyla said it aligns with financially motivated cybercrime groups that may be selling stolen credentials.
- Most victims are in North America, Europe, and Australia, the report says.
By the numbers: Education organizations account for 52.8% of the attacks.
- Healthcare accounts for 14.8%, while government offices make up 12.5%.
The big picture: The campaign highlights the risks of social engineering and reliance on outdated identity systems.
- Microsoft has urged companies to migrate from ADFS to Entra ID, which offers stronger authentication tools, but many organizations — especially in education and healthcare — face budget and technology barriers to doing so.
Between the lines: Many organizations rely on legacy systems that are only compatible with ADFS. Upgrading to Entra would require upgrading more than just the single sign-on tools.
Yes, but: Wojtyla noted this type of phishing campaign would still be possible if an organization had Entra.
The bottom line: Organizations should shorten the lifespan of session tokens and MFA codes to limit the time attackers have to use stolen credentials, Wojtyla said.
- Blocking known phishing domains associated with the campaign could also mitigate risks, as attackers have relied on the same infrastructure for years, he added.
