A recent campaign reveals how attackers are shifting tactics—weaponizing Microsoft’s Active Directory Federation Services (ADFS) and trusted domains like office.com to hijack Microsoft 365 logins. Cyber Security News
Here’s how it works, why traditional defenses often fail, and how business owners should rethink their security strategy—moving from “detect and respond” to “isolation and containment.” Most importantly, discover how AppGuard—a proven endpoint protection solution—is ideally suited to prevent these kinds of attacks.
According to Push Security, attackers are exploiting Microsoft’s single sign-on infrastructure by registering their own Microsoft tenant, configuring its ADFS settings so that authentication requests are redirected through trusted domains (like office.com) to a malicious login page.
The flow looks harmless: a user clicks an ad or a search result, lands on a legitimate Microsoft URL, but then gets redirected invisibly to a perfect phishing clone. Cyber Security News
Some of the key features of the attack:
Malvertising & Search-Engine Ads: Rather than relying on phishing emails, attackers are using ads and organic search traffic.
Exploitation of ADFS: This gives them the ability to use Microsoft’s own infrastructure to make the redirect seem legitimate.
Intermediate Domains & Redirect Chains: These are used to evade detection by web filters and automated domain categorization tools.
Bypassing MFA: Once credentials are captured, session cookies can be stolen, enabling attackers to bypass multi-factor authentication.
This is more than just a clever phishing trick. It represents a class of attack that can evade many conventional security controls. The usual tools—URL filtering, email filters, detection of known malicious sites—are far less effective when the attack begins from a trusted domain and uses complex redirects. The moment the attacker leverages a trusted service (like ADFS), many of the downstream protections lose power.
Many security programs are built around detecting incidents, then responding—investigating, quarantining, cleaning up. But by then, damage may already be done. Especially in attacks like this:
Users may already have handed over credentials.
Session cookies may be compromised, letting attackers bypass MFA.
Identity theft, lateral movement inside networks, or data exfiltration may be underway.
In short: detection is reactive. By the time you detect something, you may already be suffering losses, reputation damage, or worse.
What if instead of waiting, your systems could isolate suspicious behavior immediately or limit the damage at the point it begins? That means implementing controls that:
Prevent unsafe or untrusted code from executing on endpoints
Contain or block malicious redirects or impersonations at the moment they try to interact with a protected resource
Limit what compromised credentials or sessions can do—even if they are captured
This is where “isolation and containment” differ crucially from “detect and respond.” The former aims to stop threats before they achieve their objective; the latter only kicks in after the threat has been at least partially realized.
AppGuard is not merely another endpoint detection solution. It has a proven 10-year track record protecting systems by isolating untrusted or unsafe behavior—before damage occurs. Here’s how AppGuard helps prevent attacks like the one described above:
| Feature | Why It Matters for This Type of Attack |
|---|---|
| Application Isolation | Prevents malicious login pages or phishing code—regardless of how they arrived—from executing in a way that interacts improperly with system or browser resources. Even if redirected via trusted domains, malicious code can be isolated. |
| Containment of Untrusted Behavior | If a redirect or script looks suspicious—e.g., redirecting through unknown domains—it can be contained before credentials or cookies are handed off. |
| Minimal Trust Model | Only allow explicitly trusted actions; block anything else. This limits what attackers can do, even if they get some foothold. |
| Proven Record | AppGuard has been used successfully in sensitive environments for years, stopping zero-day exploits, ransomware, phishing-based threats. |
Put simply, with AppGuard in place, many of these fancy redirect tricks or phishing proxies would be neutralized before they can exploit ADFS or steal session tokens. The user might never even see the phishing page—or if they do, it’s in an environment where they cannot do real harm.
Review your current security posture: What tools do you use for endpoint protection? Are you heavily reliant on detection, or do you have containment controls?
Audit your ADFS, SSO, and tenant configurations: Are there open redirects or tenant misconfigurations that could be abused?
Train users: Even with great tools, user awareness helps. But don’t depend on it alone.
Deploy tools that isolate and contain: Not all endpoint protection is the same. You want something that prevents the execution or impact of malicious behavior—not just alerts after the fact.
The campaign described in Cyber Security News shows us that relying on “detect and respond” is no longer enough. Attackers are using trusted systems and legitimate infrastructure to launch more subtle, harder-to-trace phishing attacks. To mitigate the risk, businesses must adopt strategies and tools that provide isolation and containment—so threats can be neutralized as soon as they emerge.
If you’re a business owner who wants to stop incidents like this before they happen, talk with us at CHIPS. We can show you how deploying AppGuard shifts your security from detect and respond to isolation and containment. With AppGuard’s commercial version—backed by a decade of real-world success—you can protect your endpoints against phishing, credential theft, and advanced adversaries.
Don’t wait until credentials are compromised. Contact CHIPS today to see how AppGuard can defend your organization proactively.
Like this article? Please share it with others!