A sophisticated cyber campaign targeting legacy authentication protocols in Microsoft Entra ID was uncovered by Guardz Research, highlighting grave security concerns for organizations that have yet to phase out outdated authentication methods.
At the heart of this operation was BAV2ROPC, a legacy login protocol that enables attackers to circumvent robust security controls such as Multi-Factor Authentication (MFA) and Conditional Access.
The campaign revealed a methodical and deliberate attack strategy, far from being opportunistic or random.
Instead, attackers orchestrated an automated assault leveraging BAV2ROPC and other legacy authentication methods, exploiting environments still dependent on these outdated technologies.
Legacy protocols, including BAV2ROPC, SMTP AUTH, POP3, and IMAP4, lack the necessary mechanisms to enforce modern security policies.
They are inherently incapable of integrating with MFA or honoring Conditional Access policies, effectively serving as an unguarded entryway for malicious actors.
Despite Microsoft having deprecated or disabled most of these protocols, numerous tenants maintain them-often for reasons of business continuity or to support legacy systems.
This persistence is precisely what adversaries exploit, targeting organizations that have left themselves exposed by not fully migrating to modern authentication standards.
BAV2ROPC Sidesteps Modern Defenses
BAV2ROPC stands for Basic Authentication Version 2, Resource Owner Password Credential.
Originally intended to ease the transition from basic authentication to OAuth 2.0 by allowing legacy applications to obtain tokens using username and password credentials, it has since become a liability.
The process is dangerously straightforward: applications send a username and password to Entra ID, which issues access tokens without any user interaction, login prompts, or MFA challenges.
This silent, non-interactive flow is frequently invoked by obsolete mail clients, automated scripts, or, most concerningly, with compromised user credentials.
As a result, security logs and incident response teams may remain oblivious to the breach until after significant damage has been done.
According to the Report, The recent campaign tracked by Guardz Research was notable for its scale and sophistication.
Attackers employed credential spraying and brute-force tactics in a highly automated fashion, rotating through dozens of unique IP addresses spread across Eastern Europe and the Asia-Pacific region.
The onslaught was both relentless and adaptive: the attack timeline began with low-volume probing for reconnaissance, escalated to sustained daily attacks, and reached a fever pitch in early April, with over 8,500 login attempts recorded in a single day.
In total, more than 9,000 suspicious Exchange login attempts were detected, the vast majority targeting Exchange Online and the Microsoft Authentication Library.
Attackers specifically honed in on admin accounts-one subset was targeted with close to 10,000 attempts from more than 400 IP addresses within just eight hours-demonstrating a drive to breach privileged identities and escalate their foothold quickly.
The findings from this campaign serve as a stark warning: organizations that continue to allow legacy authentication protocols are unwittingly placing themselves in the crosshairs of increasingly advanced threat actors.
The only effective countermeasure is a strong, modernized configuration-one that disables legacy authentication flows entirely. For many, that will require a difficult but necessary transition away from outdated systems and business practices that still rely on these vulnerable protocols.
Until then, the risks are not just theoretical but very real, as this global and calculated campaign has shown.
Security teams must prioritize upgrading their identity infrastructure if they hope to withstand the ever-evolving tactics of today’s cyber adversaries.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Warning for WordPress Admins – Fake SEO Plugins Hijacking Websites")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Apache APISIX Flaw Enables Unauthorized Cross-Issuer Access Due to Misconfigurations")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Instagram Adopts Daily TLS Certificate Rotation with One-Week Validity")
