Microsoft ADFS Redirect Exploit Proves Legacy MFA Is Broken

Last week, BleepingComputer reported on a clever new phishing campaign targeting Microsoft users. Instead of pixel-perfect fake sites or smishing lures, attackers are now abusing legitimate Microsoft ADFS redirect endpoints to steal logins.

This matters because everything looks authentic to the victim. The browser displays real Microsoft URLs. Users type in their credentials, complete multi-factor authentication, and see no errors. But in reality, the attacker has relayed the entire session, giving them full access to the corporate environment.

If your enterprise is still relying on push notifications, authenticator apps, or SMS codes, this attack works flawlessly. Here’s why, and why Token technology would have stopped it cold.

Why Legacy MFA Cannot Stop ADFS Redirect Abuse

At the heart of this exploit is a design flaw in most MFA: it trusts the session flow instead of validating the origin.

1. A victim clicks a malicious link crafted with a real Microsoft redirect parameter.
2. The redirect takes them through a legitimate Microsoft endpoint before landing on a maliciously controlled destination.
3. The login and MFA flow is proxied to the real Microsoft service. The victim thinks they’re authenticating normally.
4. The attacker captures the signed session and gains valid Microsoft 365 access.

Traditional MFA methods — SMS codes, authenticator apps, push prompts — all fail here. Why? Because they never check:

• Who is authenticating (the biometric identity of the user)
• Where the request originates (the real domain vs a relay)
• Whether the user is physically present at the device logging in

Without those checks, any real-time relay or redirect attack can succeed. This is exactly how groups like Scattered Spider and Octo Tempest have breached insurers, airlines, and global distributors in the past year.

How Token Would Stop the Redirect Hack Cold

Token Ring and Token BioStick were engineered specifically to close this class of vulnerability. Here’s how the protection works in practice:

1. Origin Binding (rpIdHash Validation)
   Every Token device creates a unique key pair bound to the exact domain it registered with (e.g., login.microsoftonline.com). When a spoofed or redirected domain tries to request authentication, Token checks the rpIdHash. If it doesn’t match the original domain, the device simply refuses to sign the challenge. No key release, no login.
2. Live Biometric Match
   Each authentication requires a fingerprint scan directly on the Token hardware. Even if attackers trick users into a relay flow, they cannot complete the login without a biometric match on the real device. Credentials alone are worthless.
3. Proximity Enforcement
   Token authenticators work only when they’re physically near the device being logged into, via encrypted Bluetooth or USB. A remote attacker relaying through proxies cannot spoof this.
4. No Shared Secrets
   Legacy MFA relies on codes, approvals, or synced secrets — all phishable. Token uses true public-key cryptography. The private key never leaves the device, cannot be replayed, and cannot be intercepted.

THE RESULT: even if a user clicks a malicious redirect, the phishing kit can’t capture reusable credentials. The login fails silently.

Why This Matters for CISOs

The ADFS redirect exploit underscores a hard truth: attackers don’t need to break into your network — they just need to log in. And as long as authentication methods rely on user judgment or shared secrets, attackers will win.

Microsoft’s redirect endpoints aren’t going away. Neither are phishing kits. Generative AI makes building pixel-perfect login portals trivial in under a minute. Training users to “check the URL carefully” is a losing strategy.

For CISOs, the question is not whether another redirect or relay exploit will emerge — it’s whether your MFA can resist it. If your enterprise is still on SMS, TOTP, push, or even cloud-synced passkeys, you’re already vulnerable.

Token technology changes the equation. With hardware-bound biometrics, cryptographic origin binding, and proximity enforcement, Token eliminates the very attack vectors that redirect exploits depend on. No user decision. No code entry. No chance to relay.

The Bottom Line

The Microsoft ADFS redirect exploit is just the latest reminder: legacy MFA is obsolete. Attackers aren’t breaking in. They’re logging in — with your users’ help.

Token ensures they can’t.

With Token Ring or Token BioStick deployed across your workforce:

• Redirect attacks fail.
• Relay attacks fail.
• Phishing fails.
• MFA fatigue fails.

That’s the standard CISOs should be demanding in 2025. Anything less is wishful thinking.

Read the full coverage of the Microsoft exploit at BleepingComputer. And if you want to see how Token can deadbolt your front door talk to one of our experts.