Sophisticated Phishing Campaign Bypasses ADFS MFA

Overview

A recently uncovered phishing campaign has demonstrated that even multi-factor authentication (MFA) is not immune to compromise, particularly when built on legacy identity infrastructure. Organizations leveraging Microsoft's Active Directory Federation Services (ADFS) are currently being targeted by a well-orchestrated threat campaign that bypasses traditional MFA protections. This long-running operation, active for at least six years, has affected over 150 organizations across education, healthcare, and government sectors. The attackers’ ability to circumvent MFA defenses underscores the critical need for modern, phishing-resistant authentication mechanisms.

How It Works

The attack begins with a convincingly crafted phishing email, typically masquerading as a message from an internal IT team or system administrator. The email directs the recipient to a spoofed ADFS login page that mimics the legitimate portal, complete with familiar branding and layout.

Once the victim lands on the fake login page, they are prompted to enter their username and password. Following the primary credential input, the site presents a second prompt for MFA verification, tailored to the specific method the organization uses—whether that be SMS, authenticator app, or push-based notifications. The phishing infrastructure is advanced enough to capture these second-factor inputs in real time, effectively enabling a full session hijack.

To minimize suspicion, the user is often redirected to the actual ADFS portal or a valid internal site after their credentials have been harvested. Meanwhile, the attacker uses the collected data to authenticate into the real system, often gaining immediate access due to the real-time relay of credentials and MFA tokens. From there, attackers perform lateral movement, set up persistence mechanisms such as mail-forwarding rules, and may launch additional internal phishing campaigns.

Risks and Implications

The implications of this attack are substantial. ADFS, while once a staple for enterprise single sign-on, lacks the modern defenses found in newer identity platforms. Its dependency on legacy MFA methods makes it a prime target for credential-phishing and replay attacks. Because the phishing kit mirrors organizational login portals so closely and operates in real time, detection is challenging.

Compromised accounts can lead to data exfiltration, internal reconnaissance, and privilege escalation. In highly regulated environments like healthcare and education, these breaches may also trigger compliance violations, financial penalties, and reputational damage.

Recommendations

Organizations relying on ADFS should take immediate action to reassess their identity infrastructure. The most effective long-term solution is to migrate to a more secure identity platform such as Microsoft Entra ID (formerly Azure AD), which offers integrated, phishing-resistant authentication options.

Modern MFA approaches—particularly those based on FIDO2 standards—provide strong protections against phishing. These include hardware security keys and certificate-based authentication, which are inherently resistant to credential replay. Additionally, implementing conditional access policies that evaluate contextual signals like device compliance, user behavior, and geolocation can offer an additional layer of defense.

Security awareness training should not be overlooked. Users should be educated to verify URLs, avoid clicking unknown links, and report suspicious login prompts—even if they resemble familiar internal systems.

Conclusion

This ongoing phishing campaign targeting ADFS users is a stark reminder that MFA alone is not a panacea—especially when paired with legacy systems. Attackers are evolving, deploying real-time phishing kits that can defeat even seemingly robust authentication mechanisms. The path forward lies in adopting modern, phishing-resistant identity solutions and reinforcing them with intelligent access controls and user education. Now is the time to retire outdated infrastructure and build an identity foundation resilient to the threats of today—and tomorrow.