Phishing Campaign Uses Real Time Active Directory Validation of Credentials

A new phishing technique has been identified where the attackers validate Office 365 credentials in real time using Active Directory.

One of the problems with many phishing landing pages is they capture credentials when they are entered by the user but no checks are performed to make sure the credentials have been entered correctly. In the event of a typo, the incorrect password or username will be captured.

A phishing attack detected by researchers at Armorblox gets around this problem by validating credentials in real time. A spear phishing email was sent to a senior executive an unnamed American company. The subject line of the email was “ACH Debit Report”, with the message body explaining the Payment Remittance Report was included as an attachment. The email concluded with “Thank you for your business”. The email had been sent from the domain in order to bypass DKIM and SPF checks. The domain used for hosting the phishing form had only received very limited numbers of visits, suggesting the attackers were conducting highly targeted spear phishing attacks.

When the email attachment is opened in a web browser, the browser displays a login prompt exactly the same as the genuine login prompt for Office 365. The user’s email address was pre-filled with the user’s Active Directory email address, not his public facing email address.

The company had recently changed public email addresses but had not changed Active Directory credentials. The attacker appeared to be aware of this. While the login prompt matched Office 365, a non-standard message was included saying, “Because you’re accessing sensitive info, you need to verify your password.’

Rather than simply capturing the password, authentication APIs were used to cross-check the entered password with Azure Active Directory, Microsoft’s directory service. AD is used to manage permissions for access to network resources. By performing this check, the attackers confirm that the entered information is correct in real-time.

“Azure Active Directory sign on logs show an immediate sign on attempt corresponding to XHR requests performed on the attachment webpage,” said Arborblox.

If the correct credentials are entered, the user is redirected to if incorrect credentials are entered, the user is redirected to to hide the phishing attempt and make it appear that the user has genuinely failed to login. If an attempt is made to login with the password field blank, or if the password entered is too short, the user will be prompted to re-enter their password.

The researchers conducted a test to check whether the credentials were checked in real time by entering a test login with a dummy password, and saw that in the Azure Active Directory Sign-In portal that an unsuccessful login attempt had been made at the exact time the login was attempted. The IP address was the same as the victim’s machine with the failed login showing Provo, Utah as the location. Provo is the data center where the website is hosted by an Indian hosting company. The domain on which the login was hosted was registered at with a Singapore domain registrar.

Most phishing emails are sent Monday to Friday in Office hours, but the timing of the email suggests it was sent to maximize the chance of success – On Friday evening when the target’s guard would likely be down. The timing of the phishing email was such that it would be likely that any credentials stolen in the attack could be used over the weekend at a time when the access would be unlikely to be detected.  During that time the attackers could set up email forwarding rules, access emails and other services such as OneDrive, and install third-party apps within the Office 365 ecosystem.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of