BleepingComputer reports that threat actors have been covertly exfiltrating Microsoft 365 logins through a new phishing attack technique that exploits both Active Directory Federation Services and legitimate office.com links.
Attacks commenced with the clicking of a nefarious sponsored link within search results for Office 265, which proceeded to Microsoft Office before redirecting to the bluegraintours[.]com site that redirected to the credential-stealing phishing page, according to a report from Push Security researchers. Further analysis of the intrusions revealed threat actors' use of a custom Microsoft tenant with ADFS, which allowed the approval of bluegraintours authorization requests on the phishing page. "From what we've seen, this appears to be a group experimenting with novel techniques to get users to click highly trusted links to fairly standard phishing kits in the same vein as groups like Shiny Hunters and Scattered Spider have been seen doing," said Push Security co-founder and Chief Product Officer Jacques Louw.
Attacks commenced with the clicking of a nefarious sponsored link within search results for Office 265, which proceeded to Microsoft Office before redirecting to the bluegraintours[.]com site that redirected to the credential-stealing phishing page, according to a report from Push Security researchers. Further analysis of the intrusions revealed threat actors' use of a custom Microsoft tenant with ADFS, which allowed the approval of bluegraintours authorization requests on the phishing page. "From what we've seen, this appears to be a group experimenting with novel techniques to get users to click highly trusted links to fairly standard phishing kits in the same vein as groups like Shiny Hunters and Scattered Spider have been seen doing," said Push Security co-founder and Chief Product Officer Jacques Louw.
