Weaponizing Microsoft’s Login Portal: Advanced AitM and Credential Harvesting

TLDR: This research demonstrates how to turn the legitimate Microsoft login portal into a high-trust phishing infrastructure by abusing Open Redirects, Self-Service Sign-up, and Custom Company Branding. By manipulating CSS and leveraging Pass-Through Authentication (PTA) agent backdoors, attackers can perform convincing Adversary-in-the-Middle (AitM) attacks that bypass standard user awareness training. Security teams must move beyond simple domain reputation checks and implement phishing-resistant MFA to mitigate these sophisticated credential harvesting techniques.

Phishing remains the most reliable path to initial access, yet most organizations still rely on outdated indicators like suspicious domain names or obvious typosquatting to detect it. When a phishing page lives on a legitimate Microsoft domain, those indicators vanish. This research highlights how easily an attacker can weaponize the very infrastructure meant to secure user identities, turning the Microsoft login portal into a perfect, high-trust phishing platform.

The Mechanics of Trust

The core of this attack is the abuse of legitimate Microsoft features to host malicious content. By exploiting Open Redirects within the authentication flow, an attacker can craft a URL that appears to originate from Microsoft but redirects the victim to an attacker-controlled server after the initial interaction.

The research goes further by abusing Self-Service Sign-up to register guest accounts in an attacker-controlled tenant. By adding custom attributes—such as a password field or an MFA code field—during the sign-up flow, an attacker can force the user to provide sensitive information directly into a Microsoft-hosted interface. Because the user is interacting with a legitimate Microsoft domain, the perceived risk is near zero.

Manipulating the Interface with CSS

One of the most impressive aspects of this research is the use of Custom Company Branding to inject malicious CSS. While Microsoft filters out dangerous elements like JavaScript, the ability to upload custom CSS allows an attacker to hide legitimate UI elements and inject custom images.

By targeting specific CSS selectors, an attacker can hide the standard "Sign In" button and replace it with a custom image that mimics a legitimate prompt, or even inject a fake MFA code entry field. The following CSS snippet demonstrates how to hide the standard button container:

.ext-button-field-container {
    display: none;
}

By combining this with custom fonts, an attacker can even render a hyphen as a visually distinct character, allowing them to register domains like micro-oft.com that appear identical to microsoft.com to the human eye.

Abusing Pass-Through Authentication

For organizations using Pass-Through Authentication (PTA), the risk is significantly higher. PTA allows users to sign in to cloud applications using their on-premises credentials. The process involves an on-premises agent that decrypts the password in cleartext to validate it against the local Domain Controller.

If an attacker gains sufficient privileges to compromise the server hosting the PTA agent, they can install a tool like PTASpy to intercept these cleartext credentials. The attack flow is straightforward:

1. The attacker sets up a malicious tenant with PTA enabled.
2. The attacker backdoors the PTA agent on a compromised on-premises server.
3. The attacker tricks a user into signing into the attacker's tenant.
4. The PTA agent captures the cleartext credentials as they are processed.

This technique effectively turns the organization's own authentication infrastructure into a credential harvester. Even if the user is suspicious, the fact that they are entering their password on a legitimate Microsoft login page provides a false sense of security that is difficult to overcome with standard user training.

Real-World Applicability

During a red team engagement, these techniques are devastating. A pentester can use these methods to bypass traditional email security solutions that rely on domain reputation. Since the phishing link points to login.microsoftonline.com, most automated scanners will classify the link as safe.

The impact is not limited to simple credential theft. By capturing the session cookies during an AitM attack, an attacker can bypass many forms of MFA, especially if the organization has not yet transitioned to phishing-resistant methods like FIDO2 security keys.

Defensive Considerations

Defending against these attacks requires a shift in strategy. Relying on users to spot a malicious URL is no longer sufficient when the URL is legitimate. Organizations must enforce phishing-resistant MFA, such as FIDO2/WebAuthn, which binds the authentication process to the specific origin, rendering AitM attacks ineffective.

Additionally, monitoring for unusual activity on servers hosting PTA agents is critical. Any unauthorized modification to these agents should be treated as a full domain compromise. Finally, audit your Entra ID tenant settings to ensure that features like Self-Service Sign-up are restricted to authorized users and that custom branding is strictly monitored for unauthorized CSS injections.

The era of relying on "look-alike" domains for phishing detection is over. Attackers are now using the platforms themselves to facilitate the compromise, and our defenses must evolve to match this reality.