Hackers exploit Microsoft ADFS with office.com redirects

Hackers are exploiting Microsoft’s Active Directory Federation Services (ADFS) alongside legitimate office.com redirects to trick users into handing over Microsoft 365 credentials, researchers have warned.

The technique, uncovered by Push Security, combines malvertising with Microsoft’s trusted infrastructure to bypass traditional URL detection and even multi-factor authentication.

Redirecting via trusted domains

The campaign begins when a target clicks on a malicious sponsored Google search result for “Office 265”, a likely typo. Instead of going directly to a phishing page, the victim is first redirected through Microsoft’s outlook.office.com domain. From there, the attacker-controlled site bluegraintours.com silently routes the user to a credential-harvesting page.

Push Security said that while the phishing site itself was unsophisticated, the use of Microsoft infrastructure as part of the redirect chain meant the attack was far less likely to raise red flags with email or endpoint security tools.

By controlling a Microsoft tenant configured with ADFS, attackers were able to receive authorisation requests from their own domain and use them to authenticate the fake login process. Because ADFS is a Microsoft-developed single sign-on solution, the redirects initially appeared legitimate to both users and automated scanners.

“From what we've seen this appears to be a group experimenting with novel techniques to get users to click highly trusted links to fairly standard phishing kits, in the same vein as groups like ShinyHunters and Scattered Spider have been seen doing,” Jacques Louw, co-founder and CPO at Push Security, told BleepingComputer.

Obfuscation and conditional access

To further conceal the operation, the bluegraintours site was loaded with fake blog posts and other filler content to pass as a legitimate website. Researchers also found that the phishing page used conditional loading restrictions: only valid targets were shown the fake login page, while others were redirected back to the real office.com site.

Push Security said the campaign did not appear to focus on any particular industry or job function, suggesting it may be an early-stage test of new methods.

ADFS still in use

Microsoft has long encouraged organisations to migrate from ADFS to Azure Active Directory for identity and access management, though the service remains supported in Windows Server 2025. ADFS has previously been abused in phishing attacks, typically via spoofed login pages.

In this case, however, the attackers leveraged their own Microsoft tenant and ADFS setup to weaponise legitimate office.com links.

To counter this type of threat, Push Security recommends enterprises monitor for unusual ADFS redirects and inspect advertising parameters in Google redirects to office.com, which may expose malicious domains.

The discovery highlights how attackers are increasingly blending legitimate infrastructure with familiar phishing kits, raising the bar for detection and user awareness.