Attackers Mimic ADFS Login Pages to Steal Credentials and Bypass MFA for Account Takeover
Attack Overview
Step 1: Email
Attackers send a spoofed IT email urging employees to update/integrate with a new system. The message contains a malicious link leading to a fraudulent login portal.
- Email appears to come from the internal IT help desk.
- The subject line and tone emphasize urgency.
- Link directs users to what looks like a standard ADFS login page.
Step 2: Fake ADFS Login Page
The phishing site replicates the ADFS interface and branding of the targeted organization. It collects usernames, passwords, MFA codes, and encourages push notification approvals.
- Login page mimics official ADFS portal design.
- Users enter credentials and MFA codes unknowingly.
- Some victims approve push prompts, enabling MFA bypass.
Step 3: Account Takeover via VPN
With login credentials and MFA tokens in hand, attackers log in via VPN to avoid geolocation-based detections and proceed with further compromise.
- Attackers gain persistent access to victim accounts.
- They conduct follow-up BEC and lateral phishing attacks.
- VPN access masks unauthorized login behavior.
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for several reasons, including:
- Spoofed IT messages closely resemble legitimate internal emails.
- The fake ADFS login page convincingly mimics the real one.
- Victims are redirected to the legitimate login page post-compromise, reducing suspicion.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including:
- Never-before-seen senders and unusual URLs.
- Abnormal user login behavior, including geographic anomalies.
- Email content suggesting urgent IT action requiring user credentials.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.