Workflow abuse is the misuse of a legitimate business or support process to get an unauthorized security outcome. Instead of exploiting software code directly, an attacker targets the steps people and systems use for account recovery, identity checks, approvals, refunds, onboarding, or access changes. If the process is trusted too much, a normal-looking request can be turned into account takeover or privilege escalation.
This matters because many real attacks focus on the help desk and recovery flow, where a single weak verification step can override strong login controls. Defenders reduce the risk by treating support workflows like security boundaries: require step-up verification, separate approval roles, log and review sensitive actions, rate-limit repeated requests, and test processes for abuse cases. Good design assumes the workflow itself may be an attack surface.



