Hackers are using a novel method that combines legitimate Office 365 links with Active Directory Federation Services (ADFS) to redirect users to a phishing page designed to harvest Microsoft 365 credentials. Researchers from Push Security said the campaign targets multiple customers and relies on trusted infrastructure to evade traditional detection.
The technique leverages a trusted redirect in Microsoft’s infrastructure, enabling attackers to bypass some URL-based security checks and, in some cases, the multi-factor authentication protections that would normally guard logins.
In the observed campaign, a target who clicked a malicious sponsored result in Google search for “Office 265” was led first to the legitimate Office domain. The chain continued to a domain named bluegraintours[.]com, which then redirected to a phishing page crafted to collect credentials. Researchers noted that the initial pivot appeared to originate from the legitimate office.com domain rather than a direct phishing email.
Push Security said the attacker had configured a custom Microsoft tenant with ADFS, a single sign-on (SSO) solution used to access multiple applications. By controlling the tenant, the attacker used ADFS to process authorization requests from the bluegraintours domain, allowing authentication on the phishing page. An image released by Push Security shows the ADFS server receiving an authorization request from the attacker’s domain. The image and accompanying findings are available from the researchers’ published material.
Push Security noted that the bluegraintours site was designed to be invisible to the target during the redirect chain and included plausible blog-style content to appear legitimate to automated scanners. A later analysis described conditional loading restrictions that only grant access to targets deemed valid; otherwise, users are automatically redirected to the legitimate office.com site.
“From what we’ve seen this appears to be a group experimenting with novel techniques to get users to click highly trusted links to fairly standard phishing kits,” said Jacques Louw, co-founder and Chief Product Officer at Push Security. He added that the activity does not appear to target a specific industry or job role and may reflect broader experimentation with new attack methods.
While ADFS has appeared in phishing campaigns before, researchers caution that attackers sometimes spoof a target organization’s ADFS login page to steal credentials. Push Security recommends defensive measures such as monitoring for ADFS redirects to malicious locations and checking for anomalous ad parameters in Google redirects to office.com, which can reveal malicious domains or phishing redirects. Push Security’s analysis provides additional detail, and readers can also review an analysis of the attack.