Why ADFS Phishing Matters
Phishing attacks aimed at Active Directory Federation Services (ADFS) have become more convincing. Attackers build fake login pages that look like the real thing and use them to collect credentials. That matters because many organisations still rely on ADFS for access to internal and external services.
A successful attack can lead to data loss, financial damage, and reputational mess. The trick is often in the delivery: trusted links, legitimate redirects, and other routes that get around controls that only look at email.
How ADFS Phishing Usually Works
The common pattern is simple enough. The attacker spoofs a login page and waits for someone to enter their details. The email or message leading to it often looks like it came from IT or another trusted source.
One method often called ADFSjacking sends users from a legitimate domain to a phishing page. The redirect can be enough to make the whole thing look harmless at a glance. In practice, the page can be close enough to the real ADFS portal to catch people out and, in some cases, get past MFA.
Malvertising and Other Delivery Routes
Malvertising gets used here as well. A malicious ad can send someone to a fake ADFS login page after a single click. The ad may sit on a site that looks perfectly ordinary, which makes the attack harder for users to spot.
This is part of why ADFS phishing is awkward to deal with. Email filtering alone misses a lot of it. Attackers change route when one channel gets noisy, so the problem moves rather than goes away.
Practical Defences
- Use long, complex passwords for ADFS service accounts. Group Managed Service Accounts (gMSA) are a cleaner option where they fit the setup.
- Require MFA for ADFS users. Phishing-resistant methods such as hardware security keys are a better bet than SMS.
- Keep ADFS and related components patched. Old software is a gift to attackers.
- Watch the logs for odd login attempts and patterns that do not fit normal use.
SSO Hardening Checklist
- Run regular security reviews of ADFS and the applications tied to it.
- Limit access by role so fewer people can touch sensitive parts of the setup.
- Train users to spot phishing attempts and to treat odd redirects with suspicion.
- Use anti-phishing tools that can catch attempts aimed at ADFS rather than just standard email scams.
Relay Attacks and Redirect Checks
Relay attacks can be ugly if they land. The usual result is unauthorised access to accounts that should have stayed locked.
- Validate redirect URIs so users are not sent off to a malicious site.
- Use conditional access policies that take location, device, and risk into account.
- Monitor for unusual behaviour and alert on activity that does not fit the normal pattern.
Implementation Checklist
- Review and update security policies so they still match the current threat.
- Deploy threat detection tools that can spot phishing attempts against ADFS.
- Run phishing simulations to see how users respond in practice.
- Get security help where needed to check the setup and close gaps.
ADFS phishing is a real problem because it borrows trust from the systems people already rely on. The sensible response is to harden the service, watch the logs, and stop assuming every login page is what it claims to be.



