Hackers Exploit Legacy Protocols in Microsoft Entra ID to Bypass MFA and Conditional Access

A sophisticated and highly coordinated cyberattack campaign came to light, as tracked by Guardz Research.

This operation zeroed in on legacy authentication protocols within Microsoft Entra ID, exploiting outdated methods to sidestep modern security measures like Multi-Factor Authentication (MFA) and Conditional Access.

At the heart of this assault was BAV2ROPC (Basic Authentication Version 2, Resource Owner Password Credential), a deprecated login flow that allows attackers to bypass interactive authentication challenges by directly exchanging usernames and passwords for access tokens.

Without triggering MFA prompts or user interaction, this protocol effectively acts as a hidden backdoor into otherwise secure environments, making it a favored vector for malicious actors.

Targeted Campaign Unleashes Automated Attacks

The campaign’s success hinged on the persistent use of legacy authentication methods such as BAV2ROPC, SMTP AUTH, POP3, and IMAP4, which lack the robust security features of modern protocols.

Despite Microsoft’s efforts to deprecate these methods, many organizations continue to rely on them due to outdated systems or business continuity needs, leaving their environments vulnerable.

Guardz Research observed that the attackers demonstrated an intricate understanding of identity systems, launching automated credential spraying and brute-force attacks across a distributed network of dozens of unique IP addresses, primarily originating from Eastern Europe and the Asia-Pacific region.

Their strategy was methodical, evolving from initial low-volume probing between March 18 and 20, to sustained daily attacks from March 21 to April 3, and culminating in a dramatic spike of 8,534 login attempts on April 5 during the intensification phase from April 4 to 7.

Over 9,000 suspicious Exchange login attempts were recorded in a short span, underscoring the scale and precision of this operation.

Legacy Protocols: A Persistent Vulnerability

The attackers specifically targeted legacy endpoints like Exchange Online and the Microsoft Authentication Library, with over 90 percent of their efforts focused on these critical systems.

Their tactics included exploiting OAuth legacy flows (12,221 attempts), password authentication (28,150 attempts), basic authentication (27,332 attempts), and legacy Exchange protocols (21,080 attempts).

Admin accounts faced particularly intense scrutiny, with one subset enduring nearly 10,000 login attempts from 432 distinct IPs within just eight hours, highlighting the automation and determination behind the campaign.

These calculated strikes aimed not just to gain access but to harvest email data, identities, and session tokens for further escalation.

The use of IP rotation and distributed infrastructure further complicated detection, revealing a well-orchestrated effort to breach high-value targets.

Guardz Research emphasizes that the only effective defense observed during this campaign was a robust configuration that disables legacy authentication entirely.

Organizations still permitting these outdated protocols remain prime targets, as attackers continue to exploit these overlooked vulnerabilities with alarming efficiency.

This incident serves as a stark reminder of the urgent need to modernize authentication frameworks and eliminate legacy dependencies to safeguard against increasingly sophisticated cyber threats.

Setting Up SOC Team? – Download Free Ultimate SIEM Pricing Guide (PDF) For Your SOC Team -> Free Download