Threat actors are abusing Microsoft’s own infrastructure—including legitimate office.com links and Active Directory Federation Services (AD FS)—to execute an advanced phishing campaign that bypasses URL filters and even multi-factor authentication (MFA). According to Push Security researchers, the attackers crafted a malicious redirect chain that begins with a sponsored search result typo for “Office 265,” eventually funneling users through a legitimate outlook.office.com link and landing them on a credential-harvesting phishing site.
The campaign cleverly leverages a custom Microsoft tenant with AD FS enabled, which acts as a trusted identity provider during the login process. This allows attackers to intercept authentication flows without raising red flags for security agents, since the process begins within Microsoft’s trusted domains. The redirect to a phishing domain—disguised as a travel website—only activates if the user meets specific conditions, further evading detection by automated scanners and analysts.
Once inside the chain, users land on a standard-looking phishing page designed to steal Microsoft 365 credentials. To make the intermediary domain (bluegraintours[.]com) appear legitimate, attackers filled it with fake blog content and obfuscated its role in the attack. If a visitor doesn’t meet attacker-defined criteria, they are simply sent back to the real office.com site, adding an additional layer of stealth to the campaign.
While no specific industries were targeted, Microsoft AD FS is commonly used in legacy medical and healthcare environments to provide secure access to clinical applications and patient data, especially in environments with complex identity management needs. It allows organizations to implement federated identity management, enabling users to access multiple applications with a single set of credentials, which is crucial for healthcare settings where professionals need access to various systems.
To defend against this, healthcate IT admins are urged to monitor for AD FS redirect anomalies and educate users on the risks of sponsored search results, especially those mimicking high-profile login portals.
