Legacy Login in Microsoft Entra ID Exploited to Breach Cloud Accounts

A flaw in Microsoft Entra ID’s legacy login allowed attackers to bypass MFA, targeting admin accounts across finance, healthcare, and tech sectors.

Cybersecurity firm Guardz has discovered a targeted campaign exploiting a weakness in Microsoft Entra ID’s legacy authentication protocols, allowing attackers to bypass modern security measures like Multi-Factor Authentication (MFA).

The attacks, which occurred between March 18 and April 7, 2025, utilized Basic Authentication Version 2 – Resource Owner Password Credential (BAV2ROPC), a legacy login method, to gain unauthorized access, highlighting the dangers of outdated authentication in cloud environments.

This campaign, according to Guardz’s report, shared with Hackread.com, targeted various sectors including financial services, healthcare, manufacturing, and technology services.

This incident follows the widespread Microsoft Entra ID account lockouts reported by Hackread.com in April 2025, caused by an internal Microsoft error with refresh tokens and the MACE Credential Revocation app. While Hackread’s report detailed unintentional lockouts due to an internal issue, the Guardz discovery highlights a deliberate exploitation of Entra ID vulnerabilities by malicious actors.

Campaign Analysis

Guardz Research Unit (GRU) discovered that threat actors were actively exploiting BAV2ROPC – a compatibility feature within Entra ID that allows older applications to authenticate using simple usernames and passwords.

Unlike contemporary interactive login processes that mandate MFA and other security checks, BAV2ROPC operates non-interactively. This critical difference allows attackers to completely circumvent MFA, Conditional Access Policies, and even login alerts and user presence verification, effectively rendering these modern protections useless.

Attack Timeline

The attack occured in two distinct phases starting with an “Initialization” phase between March 18th and 20th, characterized by a lower intensity of probing, averaging around 2,709 suspicious login attempts daily.

This was followed by a “Sustained Attack” phase, from March 21st to April 3rd, which featured a dramatic surge in activity, spiking to over 6,444 attempts per day (a whopping 138% increase). This escalation indicated a clear shift towards aggressive exploitation of the identified vulnerabilities.

Guardz Research tracked over 9,000 suspicious Exchange login attempts, primarily from Eastern Europe and the Asia-Pacific region. The campaign involved automated credential spraying and brute-force tactics, focusing on exposed legacy endpoints.

The attacks targeted various legacy authentication vectors, with over 90% aimed at Exchange Online and the Microsoft Authentication Library, including a significant focus on administrator accounts.

“Admin accounts were a specific focus. One subset received nearly 10,000 attempts from 432 IPs within 8 hours,“ wrote Guardz’s Elli Shlomo in their blog post.

While the campaign has subsided, Guardz warns that the vulnerability persists in many organizations still relying on protocols like BAV2ROPC, SMTP AUTH, POP3, and IMAP4 for compatibility. These methods bypass MFA, ignore Conditional Access, and enable silent, non-interactive logins, thus, creating a “hidden backdoor,” researchers noted.

Dor Eisner, CEO and Co-Founder of Guardz emphasized the critical nature of this issue, stating, “This campaign is a wake-up call, not just about one vulnerability, but about the broader need to retire outdated technologies that no longer serve today’s threat landscape.”

To mitigate the risks, Guardz urges organizations to immediately audit and disable legacy authentication, enforce modern authentication with MFA, implement conditional access policies to block unsupported flows, and closely monitor for unusual login activity.