MFA Expiration Warning Used in Cloud Credential Harvesting Campaign

Between 11–13 April 2026, employees at a technology company were targeted by an MFA re-enrollment phishing campaign that cloned the organization's single sign-on page at https://mfa-validation-center.com/auth; victims who submitted credentials and approved MFA requests were redirected to the legitimate portal. Investigators observed mailbox rule creation to delete or forward security alerts and logins from a previously unseen IP (146.19.211.84), indicating credential compromise and account takeover.