Microsoft: Russian malware hijacks ADFS to log in as anyone in Windows
"Microsoft has discovered a new malware used by the Russian hacker group APT29 (a.k.a. NOBELIUM, Cozy Bear) that enables authentication as anyone in a compromised network.
As a state-sponsored cyberespionage actor, APT29 employs the new capability to hide their presence on the networks of their targets, typically government and critical organizations across Europe, the U.S., and Asia."
Saw that. "replaces a legitimate DLL used by ADFS with a malicious version" is the bit I can not get past. If the bad actor has gained the necessary permissions to replace a DLL, it seems like we have already reached "game over". Does not really matter what they do after that. The machine is compromised and all data processed by it needs to be presumed disclosed.