The Never-Ending Loop of Phishing: How Attackers Exploit Psychology to Bypass MFA and Compromise Accounts

Even the most widely adopted and trusted security measures can crumble when attackers exploit human nature.

A recent phishing campaign targeting Microsoft Active Directory Federation Services (ADFS) reveals just how effective social engineering and technical manipulation can be in compromising accounts despite the presence of multi-factor authentication (MFA).

The investigation into this attack provides three critical takeaways that every organization needs to consider: how attackers manipulate human psychology, how they methodically bypass MFA, and how account takeovers create a self-sustaining cycle of phishing attacks.

The foundation of this attack is a carefully designed phishing campaign that leverages social engineering to manipulate targets.

Unlike the examples typically used in security awareness training, which contain the usual red flags, these emails are polished, professional, and deceptively routine. They often masquerade as updates from internal IT teams, announcing security policy changes or system improvements with authentic branding and language that mimics standard corporate communications.

What makes this attack particularly deceptive is how seamlessly it transitions from an email to a spoofed login page. The phishing link directs targets to a fake ADFS portal that is nearly indistinguishable from the legitimate sign-in page. To reinforce the illusion of authenticity, attackers meticulously replicate branding, structure, and even URL patterns.

This step-by-step commitment to maintaining consistency exploits human psychology. Visiting a login page that matches their usual experience will make users less likely to question it. The simplicity of this approach is what makes it so effective. Even security-conscious individuals can be deceived when an attack flawlessly aligns with their expectations.

One of the most alarming aspects of this campaign is its sophisticated method for bypassing MFA. While many phishing attacks focus solely on stealing credentials, this one systematically captures all authentication factors in separate stages.

First, the phishing page collects the target’s username and password. Then, the page dynamically adapts to the organization's specific MFA setup and displays a prompt for a second factor, such as a code from an authenticator app, SMS verification, or push notification.

By dividing MFA authentication into multiple steps, the attackers increase their chances of success. If a victim is hesitant at any point, subtle prompts encourage them to proceed. For instance, if the organization uses push notifications for authentication, the phishing site instructs the victim to approve the expected prompt—reinforcing the illusion that they are engaging with a legitimate login portal.

This targeted manipulation effectively neutralizes MFA protections, transforming the authentication process into just another step the victim unknowingly completes for the attacker.

Once attackers compromise an account, the real damage begins. They do not stop at simply acquiring access; instead, they use the compromised account as a launchpad for further phishing attacks.

With control over a legitimate email account, they gain instant credibility, making it easier to deceive employees, partners, and customers. This is particularly dangerous when attackers use the account to target others within the same organization—a tactic known as lateral phishing. Because internal emails are inherently more trusted than external ones, employees are far more likely to fall for these follow-up attacks.

Attackers also manipulate email rules to evade detection. By creating automated rules that filter out security alerts and phishing warnings, they make it more difficult for the target to realize their account has been compromised. In some cases, responses to phishing emails are intercepted and deleted before the compromised user ever sees them. This level of control allows attackers to operate unnoticed for extended periods, maximizing their ability to spread phishing attacks further.

The self-sustaining nature of this attack makes it particularly insidious. A single compromised account can be used to generate dozens of phishing emails, each with the potential to trigger further breaches. This turns phishing from an isolated security issue into a widespread organizational—and even industry-wide—threat. Strengthening security across organizations reduces opportunities for attackers to exploit trusted business relationships.

To combat this threat, organizations must go beyond traditional MFA and implement stronger security measures. Phishing-resistant authentication, such as FIDO2 security keys and certificate-based authentication, removes the reliance on passwords, making attacks like this significantly harder to execute.

And while user awareness training remains critical, it must evolve to recognize the highly structured and psychologically persuasive tactics used in modern phishing attacks. Employees must be trained not just to spot generic phishing attempts, but to question unexpected login requests and subtle deviations in authentication workflows.

Additionally, legacy authentication systems like ADFS should be phased out in favor of modern identity platforms like Microsoft Entra ID, which incorporate risk-based authentication, adaptive MFA, and enhanced anomaly detection. These technologies can dynamically assess login behavior and block or require additional verification for suspicious activity, reducing the success rate of phishing-driven account takeovers.

This investigation highlights the growing sophistication of phishing attacks. Well-executed social engineering, adaptive MFA bypass techniques, and the cascading impact of account takeovers create a relentless cycle of threats. Disrupting this cycle requires more than isolated security improvements—it demands a collective effort to strengthen authentication processes across industries. The stronger security becomes at an individual level, the more difficult it is for attackers to exploit organizational trust at scale.

To fully understand the depth of this campaign and how to defend against it, download the full Threat Intelligence Report. It provides detailed insights into attack methodologies, targeted industries, and technical indicators of compromise (IOCs) that security teams can use to detect and mitigate this threat.

Download Targeting Microsoft ADFS: How Phishing Campaigns Bypass Multi-Factor Authentication to Enable Account Takeover today.