Hello,
The ADFS v2 service account is exposed to the internet via the endpoint /adfs/services/trust/mex.
Apparently MS is not admitting that exposing the service account poses a security concern.
(you can see the service account of MS adfs v2 by following this link:
https://corp.sts.microsoft.com/adfs/services/trust/mex)
This service account can be hidden by disabling the endpoint:
https://corp.sts.microsoft.com/adfs/services/trust/2005/windowstransport
however I was not able to get the list of drawback or services affected.
Another option is to force authenticaiton to the MEX endpoint but is it supported??
So be aware of the potential bruteforce attacks or account lock out which will bring your platform down.