Phishing Email: Attackers send spoofed IT notifications impersonating the organization’s IT help desk, prompting users to take urgent action via a malicious link.
ADFS Under Siege: How Attackers Bypass MFA for Account Takeover
By evading SEGs and users, ADFS phishing tactics Lead to compromised accounts.
What is the attack?
Landing Pages: The phishing page replicates the ADFS login portal, harvesting credentials, MFA codes, and OTPs. It also instructs users to approve push notifications, increasing the likelihood of bypassing MFA.
Account Takeover: With stolen credentials and MFA tokens, attackers gain access to accounts, using VPNs to evade detection and conduct follow-up attacks like BEC and lateral phishing.
Why did it get through?
Spoofed IT Notifications: Attackers craft emails that closely mimic legitimate IT messages, using official branding, sender names, and domains that appear authentic.
Convincing Phishing Page: The fraudulent ADFS login page replicates the target organization’s branding and mimics the ADFS URL structure to appear legitimate.
Seamless Redirection: After stealing credentials, users are redirected to the real login page, reducing suspicion and preventing immediate detection.
What is required to solve for this attack?
Behavioral Analysis: Abnormal’s Behavioral AI flags never-before-seen senders, unusual email content, URLs, and user sign-ins as anomalies that enable the detection of novel attacks.
Content Analysis and Natural Language Processing: Abnormal understands the email's content, recognizing the urgency and financial implications as indicators of a financial themed attack.