ADFSjacking

Abuse of Active Directory Federation Services to steer a user through a trusted authentication flow into attacker infrastructure. The identity system itself becomes part of the lure, which makes the attack harder to spot with simple domain blocking or page reputation checks.

Expanded Definition

ADFSjacking is a phishing and redirect technique that exploits trusted Active Directory Federation Services flows so the victim is moved through a legitimate identity path into attacker-controlled infrastructure. It is not simply a fake login page. The abuse depends on trust in the federation sequence itself, which can make reputation-based filtering and basic domain blocking less effective.

In NHI and IAM terms, the attack highlights that identity infrastructure can be part of the lure, not only the target. ADFS is commonly used for single sign-on and claims-based access, so a successful abuse can preserve enough legitimacy to confuse users and defenders. The closest operational concerns are phishing-resistant authentication, federation trust validation, and tight control over redirect and token handling. Guidance varies across vendors on whether to classify ADFSjacking as a phishing subvariant, a federation abuse pattern, or a credential interception technique, but the practical risk is consistent: trusted identity paths can be turned into attacker delivery channels. For broader context on identity governance and attack surface reduction, see the Ultimate Guide to NHIs and the NIST Cybersecurity Framework 2.0.

The most common misapplication is treating every federation redirect as benign, which occurs when defenders trust the login brand instead of validating the full authentication path.

Examples and Use Cases

Implementing federation controls rigorously often introduces user friction and monitoring overhead, requiring organisations to weigh smoother sign-in experiences against stronger validation of every redirect and token exchange.

• A user clicks a convincing sign-in link that routes through a legitimate ADFS endpoint before sending them to a spoofed application hosted by the attacker.
• A compromised tenant or misconfigured federation trust lets attackers alter the post-authentication redirect destination while keeping the first step visually authentic.
• Security teams detect unusual ADFS request patterns in logs and compare them against known phishing and federation abuse techniques described in the Ultimate Guide to NHIs.
• A remote workforce uses federated SSO, and attackers rely on brand familiarity to bypass skepticism because the initial page is a real identity provider, not a fake clone.
• Investigators map the redirect chain against NIST Cybersecurity Framework 2.0 logging and monitoring expectations to identify where the lure begins and where trust breaks down.

Why It Matters in NHI Security

ADFSjacking matters because identity trust is often reused across human and machine access paths. When a federation flow is abused, the problem is not only a stolen credential or a misleading link. It can also expose session tokens, downstream application access, and adjacent NHI dependencies that rely on the same identity fabric. This is especially relevant when organisations assume the identity provider itself guarantees safety.

NHIMG research shows that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, while only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs. That visibility gap matters here because federation abuse is easier to miss when defenders cannot trace which identities, tokens, and service dependencies are touched after a redirect-based compromise. Stronger alignment with the NIST Cybersecurity Framework 2.0 helps tie detection, response, and access control together, rather than treating the incident as a simple phishing case.

Organisations typically encounter the consequences only after a suspicious sign-in or downstream application misuse, at which point ADFSjacking becomes operationally unavoidable to address.