A global phishing campaign is actively exploiting a legacy Microsoft authentication system to steal user credentials and bypass multi-factor authentication (MFA), targeting over 150 organizations.

A global phishing campaign is underway, exploiting a legacy Microsoft authentication system to steal user credentials and bypass multi-factor authentication (MFA), targeting over 150 organizations.

A sophisticated phishing campaign is exploiting vulnerabilities in Microsoft’s Active Directory Federation Services (ADFS) to compromise user accounts and bypass multi-factor authentication (MFA), as revealed in research by Abnormal Security.

The attackers employ a combination of social engineering and technical manipulation. Phishing emails, mimicking legitimate notifications, lure victims to spoofed ADFS login pages. These emails often use urgent tones, warn of supposed updates or policy changes, and incorporate legitimate branding, logos, and even contact information to appear genuine. 

One of the phishing pages was sent to a targeted company (Via Abnormal Security)

URL obfuscation and shortened links further conceal the malicious destination.  It is worth noting that the attackers personalize the phishing pages to match the target organization’s specific MFA setup, such as tailoring prompts for push notifications, and mechanisms like Microsoft Authenticator, Duo Security, and SMS verification. 

The phishing landing page replicates the organization’s ADFS portal, dynamically pulling logos and design elements, creating a convincing counterfeit. While some client-side validation might exist, the page does not verify credentials against the organization’s systems since any username and password combination is accepted.  

The next step involves capturing the user’s second-factor authentication. Phishing templates are designed to collect various MFA factors, including codes from authenticator apps, SMS messages, or even push notifications. This information, coupled with the stolen credentials, is relayed to the attackers.

To complete the deception, the victim is redirected to the genuine ADFS login page after submitting their information, reinforcing the illusion of a successful login. With the stolen credentials and MFA details, the attackers proceed with account takeover (ATO), often using VPNs to mask their location.  Post-compromise activity typically includes internal reconnaissance, setting up mail filter rules to conceal their presence, and launching lateral phishing attacks.

Lateral phishing, sent from the compromised account, leverages established trust relationships within the organization. These emails often mimic legitimate communication patterns, targeting colleagues and associates. The mail filter rules, often with deceptive names and obfuscated keywords (e.g., “Hish” for “Phish”), help the attackers remain undetected.

“This approach leverages nuanced psychological tactics to exploit human vulnerabilities and reinforce a false sense of legitimacy,” Abnormal Security’s report read.

A fake Microsoft ADFS used in the campaign (Via Abnormal Security)

Research reveals that this campaign has targeted over 150 organizations in various sectors. The education sector is most impacted with 50% of attacks followed by healthcare (14.8%), government (12.5%), technology (6.3%), and transportation (3.4%).  Geographically, the attacks are largely focused on the United States, but incidents have also been reported in Canada, Australia, and Europe.

The report suggests that attackers are exploiting the fact that many organizations have not switched to Microsoft’s modern identity platform, Entra. ADF reliance is particularly prevalent in sectors with slower technology adoption, emphasizing the need for prioritizing migration to modern solutions and employing a multi-layered security approach.

Roger Grimes, a data-driven defence evangelist at KnowBe4, commented on the issue, telling Hackread.com that this is the first time they have heard about fake ADFS login pages hinting at the sophistication of this campaign.

_“_I’m a 36-year cybersecurity expert and author of 15 books (one on hacking MFA and over 1,500 articles. This is the first time I’ve read about fake ADFS login pages, but ADFS has been involved in bypassing MFA authentication before, so it’s not completely new to use in the hacker scene._“_

_“_All users should use phishing-resistant MFA whenever they can,_“_ Roger warned. _“_Unfortunately, most of today’s most popular MFA solutions, including Microsoft Authenticator, Google Authenticator, Duo, push-based MFA, OTP, and SMS-based MFA are very phishable and subject to the exact type of attack reported here._“_

Hackers Using Fake Microsoft ADFS Login Pages to Steal Credentials

Organizations continue to be at high risk from cybercrime in Africa, despite law enforcement takedowns of cybercriminal syndicates in Nigeria and other African nations.

Threat Index global mapSource: Check Point Software Technologies

Nigeria's government has taken a tougher stance against financial fraud and cybercrime, arresting more than 1,000 people in the past year and successfully prosecuting 152 cases related to cyber-related fraud and scams.

On Feb. 3, Nigeria's Economic and Financial Crimes Commission (EFCC) arraigned 42 foreign nationals — mainly Chinese and Filipino — on charges related to alleged cryptocurrency investment and romance fraud, part of a massive raid conducted in December 2024 against a purported cybercriminal syndicate of nearly 800 people.

The defendants willfully "caused to be accessed, a computer system which was organized to seriously destabilize the economic and social structure of the Federal Republic of Nigeria, by procuring and employing several Nigerian youths for identity theft and other computer related fraud," according to an EFCC statement.

Cybercrime and cyberattacks continue to be a major problem for Nigeria, and Africa as a whole. The average African organization sees nearly 3,200 attacks per week, 73% more than the global average, according to data provided by cybersecurity firm Check Point Software Technologies. Africa has increasingly become a hub for cybercrime, charting eight countries in Check Point's top 20 areas at high risk of cybercrime. Ethiopia claimed the top spot as the riskiest nation for cybercrime, while Nigeria ranked number 19.

The continent is rapidly adopting technology, not always with the right security, leading to vulnerable systems, says Lionel Dartnall, acting country manager for South Africa at Check Point.

"We are seeing that Africa is particularly susceptible compared to other regions, and many attackers often test new methods here before deploying them in other parts of the world," he says, listing the rapidly expanding digital footprint and widespread adoption of cloud computing as factor\[s\] that are opening up the region to more attacks."

**Africa: Rapidly Securing Its Ecosystem**

Overall, the Global South — including nations in the African, Latin American, and South Asian regions — have the lowest number of organizations reporting themselves to be cyber-resilient, according to the World Economic Forum's "Global Cybersecurity Outlook 2025." In Europe and North America, about 15% of organizations lack confidence in their nation's ability to respond to significant cyber incidents. In Africa and Latin America, 36% and 42% lack confidence, respectively.

While African nations are disproportionately represented in the top-20 cyber-riskiest nations and in lacking confidence in their cyber resilience, their economies are also topping the list in terms of growth, with 11 of the 20 fastest-growing economies in Africa. Overall, Africa's younger population and the increased digitization brings more risk, but also more opportunities, Check Point's Dartnall says.

"\[T\]he continent has only 20,000 qualified cybersecurity engineers, indicating a critical need for more experts to join the field," he says. "However, there is a focus by both private and public sector institutions to stimulate cyber security training especially among young people, both to plug the acute skills gap and also provide critically needed employment."

Organizations in Nigeria — and Africa as a whole — have suffered a much higher pace of attacks, compared with global groups. Source: Check Point Software's "2024 African Perspectives on Cyber Security"

Nigeria, however, continues to face economic problems that impact its ability to create a trusted online ecosystem. Nigeria had significant economic challenges over the past three years, including annual inflation of more than 30%, higher unemployment, and growing debt, according to PricewaterhouseCoopers' 2025 Nigeria Budget and Economic Outlook. In 2024, the Nigerian government had to pause the implementation of a cybersecurity tax after public dissent. At the same time, Nigeria saw far more attacks per organizations than the global average.

**Importing Cybercrime**

The trick for countries like Nigeria is to make cybersecurity jobs available and more appealing than cybercrime. The government has already reached out to organizations, such as the Student Union Executives and the Nigeria Internet Registration Association (NIRA), to bolster cybersecurity training and fraud awareness.

In addition, law enforcement authorities have ramped up investigations and enforcement operations in the last year. In July 2024, Interpol worked with authorities in 21 countries to arrest the West African cybercriminals involved in financial fraud in an effort dubbed Operation Jackal III. In December 2024, similar cooperation led to the arrest of more than 1,000 suspects linked to more than $192 million in financial losses across Africa.

The Nigerian government has stressed that many of the cybercriminal schemes that operate in the country are not run by Nigerians. During the massive raid leading to the arrest of 792 suspects allegedly involved in a romance and cryptocurrency-investment fraud ring, nearly a quarter of those detained were not Nigerian citizens and included 148 Chinese, 40 Filipinos, two Kharzartans, one Pakistani, and one Indonesian, according to a December 2024 statement.

"Foreigners are taking advantage of our nation's unfortunate reputation as a haven of frauds to establish a foothold here to disguise their atrocious criminal enterprises," Ola Olukoyede, the EFCC chairman, said at a press conference. "But, as this operation has shown, there will be no hiding places for criminals in Nigeria."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Nigeria Touts Cyber Success, Even as Cybercrime Rises in Africa

Versions of the package spatie/browsershot before 5.0.5 are vulnerable to Improper Input Validation in the setHtml function, invoked by Browsershot::html(), which can be bypassed by omitting the slashes in the file URI (e.g., file:../../../../etc/passwd). This is due to missing validations of the user input that should be blocking file URI schemes (e.g., file:// and file:/) in the HTML content.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-j2gw-r24m-j2qw: Browsershot Path Traversal

Versions of the package cockpit-hq/cockpit before 2.4.1 are vulnerable to Arbitrary File Upload where an attacker can use different extension to bypass the upload filter.

GHSA-wp68-xrfg-xvq4: Cockpit Arbitrary File Upload

Versions of the package spatie/browsershot before 5.0.5 are vulnerable to Improper Input Validation due to improper URL validation through the setUrl method, which results in a Local File Inclusion allowing the attacker to read sensitive files.

**Note:**

This is a bypass of the fix for [CVE-2024-21549](https://security.snyk.io/vuln/SNYK-PHP-SPATIEBROWSERSHOT-8533023).

GHSA-f2q5-6mx7-q9qq: Browsershot Local File Inclusion

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added four security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild.
The list of vulnerabilities is as follows -

CVE-2024-45195 (CVSS score: 7.5/9.8) - A forced browsing vulnerability in Apache OFBiz that allows a remote attacker to obtain unauthorized

CISA Adds Four Actively Exploited Vulnerabilities to KEV Catalog, Urges Fixes by Feb 25

Fraud groups are using cutting-edge technology to scale their operations to create fake identities and execute fraud campaigns.

Source: Mike via Adobe Stock Photo

Question: How are modern fraud groups using generative artificial intelligence (GenAI) and deepfakes to steal millions of dollars?

Answer: If you imagine a fake identity document, what springs to mind? Is it a faded World War II-era identity card with a false name written in neat script next to a black and white photo? Is it a driver's license from a state you had never actually been to with your photo and a fake name, address, and birthday that you showed to the bars in your college town so you could drink when you were underage? Sometimes those documents worked. Sometimes they didn't.

The forgeries created by modern fraud groups use cutting-edge AI-driven deepfake technology to create fake identities, avatars, and documents that even a trained eye would have trouble spotting, says Ofer Freidman, chief business development officer of identity verification and ID management automation company AU10TIX. These groups are using GenAI to steal personal data, craft convincing fake identities, and execute fraud schemes.

Fraudsters acquire personal data from individuals through a combination of methods, including phishing, social engineering, and hacking corporate databases. They can also buy the information from cybercrime marketplaces. They can then use an AI system to randomize the information, such as names, addresses, and document numbers, to generate new fake identities. AI is better at avoiding repetitive patterns than humans, making it more likely that these fake identities will evade detection systems and monitors, Friedman says. 

Traditional forgeries could be identified by spotting inconsistencies, such as mismatched shadows or areas that were low resolution compared to the rest. While there are ways to identify deepfakes (such as counting the fingers on the person's hands), each model is getting better at producing uniform, high-quality content. 

For fraudsters, every payday doesn't need to be huge because they are operating in an "industrialized, systematic way," Friedman says. "You can go for $1 million or you can go 100 times for $10,000. It's the same effort because it's a machine doing it for you, unlike the good old days when you actually had to do it one by one."

**About the Author**

Contributing Writer

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

How Are Modern Fraud Groups Using GenAI and Deepfakes?

Researchers measured a threefold increase in credential stealing between 2023 and 2024, with more than 11.3 million such thefts last year.

Source: Artur Marciniec via Alamy Stock Photo

NEWS BRIEF

After analyzing more than a million pieces of malware collected in 2024, researchers have found that 25% of them target user credentials.

That's three times the number from 2023 and has bumped stealing credentials from password stores into the top 10 techniques listed in the MITRE ATT&CK framework, which accounted for 93% of all malicious cyber activity in 2024.

In "The Red Report 2025" conducted by Picus Security, researchers observed that the attackers are prioritizing "complex, prolonged, multi-stage attacks that require a new generation of malware to succeed." In what the researchers dubbed "SneakThief," threat actors are looking to revolutionize info-stealing malware, focusing on increased stealth, persistence, and automation.

The researchers add that threat actors likely have their sights set on these malware attributes in order to pull off "the perfect heist," adding that most malware samples now have the capability to do so with more than a dozen malicious actions installed to help bad actors evade defenses, exfiltrate data, and more.

The researchers also report they found no evidence that cybercriminals are using AI-driven malware, and that malware samples on average can complete 14 malicious actions. And of the millions of cybercrime acts seen in 2024, exfiltration and stealth tactics made up 11.3 million.

"Focusing on Top 10 MITRE ATT&CK techniques is the most viable way to stop the kill chain of sophisticated malware strains as early as possible," said Volkan Ertürk, CTO and co-founder of Picus. "SneakThief malware is not an exception; enterprise security teams can stop 90% of malware by focusing on just 10 of MITRE's entire library of techniques."

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Credential Theft Becomes Cybercriminals' Favorite Target

Targets are lured into a fake interview process that convinces them to download malware needed for a virtual interview.

Source: imageBROKER.com GmbH & Co. KG via Alamy Stock Photo

NEWS BRIEF

In a new patch for its on-device malware tool, Apple is pushing signature updates to XProtect in order to block variants of a malware belonging to what is known as the macOS Ferret family.

This malware has been identified as part of "Contagious Interview," a North Korean campaign involving threat actors luring in targets and convincing them to install malware onto their devices through a fake job interview process. The other variants in the campaign include: FROSTYFERRET\_UI, FRIENDLYFERRET\_SECD, and MULTI\_FROSTYFERRET\_CMDCODES.

The DPRK malware family was first detailed by researchers in December 2024 and again in January where, as part of the campaign, targets are asked to communicate with an "interviewee" through a link that requests to install a piece of software required for virtual meetings.

Once installed, it runs a malicious shell script and installs a persistence agent, as well as an executable impersonating a Google Chrome update. 

The Contagious Interview attack chains are designed to drop JavaScript-based malware "BeaverTail," which delivers a Python backdoor known as InvisibleFerret, and harvests sensitive data from Web browsers and crypto wallets.

And now researchers at SentinelOne are highlighting samples they're calling "FlexibleFerret" that went undetected by XProtect as of Feb. 3, suggesting that the threat actors are honing their tactics to evade detection. This component dates as far back as November 2023.

"In an example in late December, one 'commenter' left instructions leading to the download of Ferret family droppers," stated the SentinelOne researchers. "This suggests that the threat actors are happy to expand the vectors by which they deliver the malware beyond the specific targeting of job seekers to developers more generally."

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Ferret Malware Added to 'Contagious Interview' Campaign

A security issue was found in Sparkle before version 2.6.4. An attacker can replace an existing signed update with another payload, bypassing Sparkle’s (Ed)DSA signing checks.

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.

Attack complexity: More severe for the least complex attacks.

Privileges required: More severe if no privileges are required.

User interaction: More severe when no user interaction is required.

Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.

Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.

Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.

Availability: More severe when the loss of impacted component availability is highest.

Tag

#auth