Microsoft Accounts Under Attack in Education Sector

A new phishing campaign is actively exploiting Microsoft Active Directory Federation Services (ADFS) to bypass multifactor authentication (MFA), enabling attackers to take control of user accounts. By using this access, threat actors can infiltrate networks that rely on ADFS for single sign-on (SSO) authentication, expanding their malicious activities across multiple systems.

Researchers at Abnormal Security have identified that approximately 150 organisations, primarily within the education sector, are being targeted. These institutions use ADFS to authenticate users across both on-premises and cloud environments, making them prime targets for the attack.

The campaign operates through sophisticated phishing emails that redirect victims to counterfeit Microsoft ADFS login pages, customised to mirror their MFA setup. Once credentials and MFA codes are submitted, attackers seize control of accounts, exploiting the SSO functionality to move laterally across connected services. Post-compromise activities observed include reconnaissance, setting up email filters to intercept communications, and launching internal phishing attacks on other users.

Security experts warn that targeting ADFS, a legacy SSO system originally designed for internal networks, can have serious consequences. Jim Routh, Chief Trust Officer at Saviynt, highlights that while ADFS was built for use behind firewalls, its expanded adoption across cloud services has left it vulnerable to exploitation.

Hackers Use Help Desk Phishing Tactics to Steal Credentials

Attackers are deploying phishing emails disguised as IT help desk notifications to trick users into revealing their login credentials. These fraudulent messages often urge recipients to take immediate action, such as accepting an updated policy or completing a system upgrade, by clicking on a provided link.

To enhance credibility, the phishing emails feature spoofed sender addresses that appear to originate from trusted entities. Additionally, the attackers replicate legitimate Microsoft ADFS branding on fake login pages and craft malicious links that closely resemble real ADFS URLs, making detection more difficult.

By exploiting users’ familiarity with ADFS sign-in pages, the attackers successfully convince victims to enter both their credentials and multifactor authentication (MFA) codes, granting them full access to targeted accounts.

Education Sector Hit Hardest by Attacks

While the campaign affects multiple industries, educational institutions—such as schools and universities—account for over 50% of targeted organisations. This sector’s reliance on legacy systems, large user bases, limited cyber security resources, and outdated security protocols makes it an attractive target.

Beyond education, other industries affected include healthcare, government, technology, transportation, automotive, and manufacturing—sectors that often struggle with modernising authentication systems.

Security researchers, including Microsoft and Abnormal Security, recommend that organisations transition to Microsoft's Entra identity platform to strengthen authentication security. However, many organisations still depend on ADFS due to legacy infrastructure and slower technology adoption cycles, leaving them vulnerable to credential theft and account takeovers.

Strengthening Defences Against Phishing

Even for organisations that continue to use ADFS, implementing security best practices can help reduce risk. 

Additional recommended mitigations include:

- User Education: Training employees on modern phishing tactics and social engineering techniques.
- Advanced Email Filtering: Deploying email security solutions that detect and block phishing attempts before they reach inboxes.
- Anomaly Detection & Behavior Monitoring: Using AI-driven tools to identify suspicious login attempts and unusual account activity, allowing for early threat detection.

By adopting these measures, organisations can better protect themselves from phishing campaigns that exploit ADFS vulnerabilities, reducing the risk of widespread account compromise.

Phishing remains one of the most effective attack methods, making it extra important for organisations to assess their exposure and implement robust defenses. At CybaVerse, we help businesses, universities, and other organisations strengthen their security posture by identifying vulnerabilities, enhancing phishing awareness, and deploying proactive security measures. With users and systems being the first line of defense, having a solid phishing prevention strategy is key to stopping account takeovers before they happen.