Hackers are using a rather clever tactic: they mix legitimate office.com links with Active Directory Federation Services (ADFS) to redirect users to a phishing page that steals Microsoft 365 credentials.
What’s concerning is that this method allows them to bypass traditional security filters (like URL scanners) and even sidestep multi-factor authentication, since everything starts from a trusted domain within Microsoft’s own infrastructure. A smart move… but a dangerous one
In this recent phishing campaign, researchers analyzed how attackers were redirecting employees from a legitimate outlook.office.com link to a phishing site designed to steal credentials.
Interestingly, the fake page itself wasn’t particularly sophisticated in avoiding detection. The trick was in how the attack was delivered. By leveraging Microsoft’s legitimate infrastructure, the malicious link was able to slip past many security tools unnoticed.
It all started with a click on a malicious sponsored ad in Google search results for "Office 265" (yes, with that common typo). From there, the victim was first taken to an authentic Microsoft site, then redirected to an intermediate domain like bluegraintours[.]com, and finally landed on the phishing page.
This chain of redirects—using legitimate domains as a bridge—is what makes the attack so hard to spot at a glance, even for automated systems.
Timeline of the Attack Source (Source: Push Security)
Read more: Social Engineering + User Experience: The Hackers' Formula
At first glance, it seemed that users were being redirected directly from the legitimate office.com domain to a malicious page—all without the need for a typical phishing email.
But upon closer investigation, experts uncovered something much more elaborate: the attackers had created their own customized Microsoft tenant and configured it with Active Directory Federation Services (ADFS), a tool that allows users to sign in to multiple applications with a single account (commonly known as Single Sign-On or SSO).
While ADFS is still available in Windows Server 2025 and there are no official plans to retire it, Microsoft is already recommending a migration to Azure Active Directory (Entra ID) for more modern and secure identity management (IAM).
What’s most concerning here is that by controlling a Microsoft tenant, the attacker was able to use ADFS as if it were a legitimate identity provider. So when a victim accessed the malicious domain bluegraintours[.]com, an authentication request was triggered that appeared completely legitimate—but in reality, it led them to a phishing page designed to steal credentials.
In short, not only were they using legitimate infrastructure as bait, but they were also leveraging real corporate tools to make everything seem normal. And that’s precisely what makes this type of attack so difficult to detect.
ADFS Server Receiving the Authorization Request from the Attacker’s Domain Source
One reason this type of attack is so hard to detect is that the intermediate site (in this case, bluegraintours[.]com) is never visible to the victim. Everything happens behind the scenes as part of a carefully orchestrated redirect chain.
To avoid detection by automated security scanners, the attacker filled that site with fake blog posts and generic content, giving it a legitimate appearance at first glance. So while the user never sees it, security systems don’t flag it as suspicious either.
But that’s not all. A deeper analysis of the attack revealed that the attackers configured conditional access restrictions—meaning only specific users could reach the final phishing page.
If someone who doesn’t meet the criteria clicks the link, they’re redirected back to a legitimate Microsoft site like office.com. This smart filtering helps the attackers stay under the radar.
Interestingly, researchers found no clear pattern in the targets. There’s no indication that specific sectors or roles are being singled out. It appears the attackers are experimenting with new methods, testing what works and what doesn’t.
While the use of ADFS in phishing campaigns isn’t new, what’s different this time is the approach: instead of cloning an ADFS login page, the attacker created a legitimate environment and used it as part of the redirect chain. It’s a more sophisticated and subtle twist on past attempts.
To avoid falling for these kinds of traps, TecnetOne recommends implementing several security measures, including:
Monitoring ADFS-based redirects, especially those pointing to unusual or unverified destinations.
Checking redirect parameters from Google Ads to domains like office.com, as they may reveal malvertising or malicious ad attempts.
Educating employees on new, more sophisticated phishing methods that are harder to detect.
Regularly reviewing the configuration of Microsoft tenants and ADFS to prevent misuse as part of an attack chain.
In addition to these best practices, having an advanced security solution like Sophos can make a significant difference. Sophos provides comprehensive protection for endpoints, networks, servers, and email, with proactive AI-driven threat detection, real-time behavior analysis, and defense against targeted attacks like redirect-based phishing.
At TecnetOne, we are Certified Sophos Partners, enabling us to offer expert advice, official licensing, and implementation of solutions tailored to your business needs. Our technical team is trained to help you protect your IT infrastructure with cutting-edge tools—without hassle and with local support.
This case reminds us that in cybersecurity, trust in well-known domains is no longer enough. Attackers are exploiting that very trust to hide their movements and steal credentials without leaving obvious traces.