Legacy Login In Microsoft Entra Id Exploited To Breach Cloud Accounts

A flaw successful Microsoft Entra ID’s bequest login allowed attackers to bypass MFA, targeting admin accounts crossed finance, healthcare, and tech sectors.

Cybersecurity patient Guardz has discovered a targeted run exploiting a weakness successful Microsoft Entra ID’s bequest authentication protocols, allowing attackers to bypass modern information measures for illustration Multi-Factor Authentication (MFA).

The attacks, which occurred betwixt March 18 and April 7, 2025, utilized Basic Authentication Version 2 – Resource Owner Password Credential (BAV2ROPC), a bequest login method, to summation unauthorized access, highlighting nan dangers of outdated authentication successful unreality environments.

This campaign, according to Guardz’s report, shared pinch Hackread.com, targeted various sectors including financial services, healthcare, manufacturing, and exertion services.

This incident follows nan wide Microsoft Entra ID relationship lockouts reported by Hackread.com successful April 2025, caused by an soul Microsoft correction pinch refresh tokens and nan MACE Credential Revocation app. While Hackread’s study elaborate unintentional lockouts owed to an soul issue, nan Guardz find highlights a deliberate exploitation of Entra ID vulnerabilities by malicious actors.

Campaign Analysis

Guardz Research Unit (GRU) discovered that threat actors were actively exploiting BAV2ROPC – a compatibility characteristic wrong Entra ID that allows older applications to authenticate utilizing elemental usernames and passwords.

Unlike modern interactive login processes that instruction MFA and different information checks, BAV2ROPC operates non-interactively. This captious quality allows attackers to wholly circumvent MFA, Conditional Access Policies, and moreover login alerts and personification beingness verification, efficaciously rendering these modern protections useless.

Attack Timeline

The onslaught occured successful 2 chopped phases starting pinch an “Initialization” shape betwixt March 18th and 20th, characterized by a little strength of probing, averaging astir 2,709 suspicious login attempts daily.

This was followed by a “Sustained Attack” phase, from March 21st to April 3rd, which featured a melodramatic surge successful activity, spiking to complete 6,444 attempts per time (a whopping 138% increase). This escalation indicated a clear displacement towards fierce exploitation of nan identified vulnerabilities.

Guardz Research tracked complete 9,000 suspicious Exchange login attempts, chiefly from Eastern Europe and nan Asia-Pacific region. The run progressive automated credential spraying and brute-force tactics, focusing connected exposed bequest endpoints.

The attacks targeted various bequest authentication vectors, pinch complete 90% aimed astatine Exchange Online and nan Microsoft Authentication Library, including a important attraction connected administrator accounts.

“Admin accounts were a circumstantial focus. One subset received astir 10,000 attempts from 432 IPs wrong 8 hours,“ wrote Guardz’s Elli Shlomo successful their blog post.

While nan run has subsided, Guardz warns that nan vulnerability persists successful galore organizations still relying connected protocols for illustration BAV2ROPC, SMTP AUTH, POP3, and IMAP4 for compatibility. These methods bypass MFA, disregard Conditional Access, and alteration silent, non-interactive logins, thus, creating a “hidden backdoor,” researchers noted.

Dor Eisner, CEO and Co-Founder of Guardz emphasized nan captious quality of this issue, stating, “This run is simply a wake-up call, not conscionable astir 1 vulnerability, but astir nan broader request to discontinue outdated technologies that nary longer service today’s threat landscape.”

To mitigate nan risks, Guardz urges organizations to instantly audit and disable bequest authentication, enforce modern authentication pinch MFA, instrumentality conditional entree policies to artifact unsupported flows, and intimately show for different login activity.