Hackers are using a novel technique that combines legitimate office.com links with Active Directory Federation Services (ADFS) to redirect users to a phishing page that steals Microsoft 365 logins.

The method lets attackers bypass traditional URL-based detection and the multi-factor authentication process by leveraging a trusted domain on Microsoft's infrastructure for the initial redirect.

Legitimacy of a trusted redirect

Researchers at Push Security, a company that provides protection solutions against identity-based attacks, analyzed a recent campaign that targeted several of its customers and redirected employees from a legitimate outlook.office.com link to a phishing website.

While the phishing page did not exhibit any special elements that would prevent its detection, the deli

See Full Page