How Phishing Campaigns Bypass Multi-Factor Authentication to Enable Account Takeover
This report by Abnormal Security details an ongoing phishing campaign exploiting Microsoft Active Directory Federation Services (ADFS) to bypass multi-factor authentication (MFA) and enable account takeovers. Attackers create spoofed ADFS login pages that mimic legitimate enterprise portals, deceiving users into revealing credentials and second-factor authentication data.
The campaign uses convincing social engineering tactics—such as authentic-looking branding, subtle urgency cues, and URL obfuscation—to harvest login information. Once access is gained, threat actors conduct post-compromise actions including lateral phishing, creation of hidden mail filters, and financial fraud. Over 150 organizations have been affected, primarily in the education sector (52.7%), followed by healthcare, government, and technology industries.
The report stresses that reliance on legacy ADFS systems increases exposure to such attacks. It recommends migrating to Microsoft Entra for modern identity management, implementing AI-based behavioral threat detection, and strengthening user awareness training to mitigate risks.