Researchers found out that the threat group targeted the Office 365 environment that is believed to be having a hybrid authentication model set up or fully operating on a cloud network. The threat actor hijacked the AD FS server probably using stolen credentials and gained access to the server exploiting the SAML token. The attackers specifically targeted token-signing certificates and private keys used to signify SAML tokens, within the servers. This certificate is by default valid for a year. It allows cybercriminals to log into Azure or Office365 as any existing user within AD, regardless of any password resets or MFA requirement.
The recent attack is complicated and carried out with the aim of achieving the token-signing certificate to gain entry to a specific target network. Therefore, experts suggest implementing additional layers of protection for SAML certificates, and in case of compromise, re-issue certificates on the ADFS twice and force re-authentication for all users.
For more Information: Click Here