A recent, sophisticated cyber attack targeting Microsoft Entra ID has exploited outdated authentication protocols to bypass key security measures such as Multi-Factor Authentication (MFA) and Conditional Access. This campaign, which took place between March 18 and April 7, 2025, created a significant backdoor into enterprise networks, leaving organizations vulnerable to unauthorized access.
The attackers used legacy authentication methods, including BAV2ROPC, SMTP AUTH, POP3, and IMAP4, which lack modern security features. Despite Microsoft deprecating or disabling many of these protocols, some organizations still maintain them for legacy system compatibility, creating a gap that attackers are now targeting.
Exploiting Legacy Protocols
The hackers leveraged these outdated protocols to bypass MFA and Conditional Access policies—critical security measures that are essential to protecting enterprise environments. Researchers from Guardz identified a coordinated campaign, uncovering disturbing patterns across multiple IP addresses. These patterns indicated the use of automated credential spraying and brute-force techniques to exploit vulnerable endpoints.
During the three-week period, researchers documented more than 9,000 suspicious login attempts, primarily originating from Eastern Europe and the Asia-Pacific region. The intensity of the attack escalated in early April, peaking on April 7 with 8,534 attempts in a single day. Nearly 90 percent of the attacks targeted Exchange Online, suggesting that attackers were trying to access sensitive email communications and harvest authentication tokens.
The BAV2ROPC Protocol: A Key Attack Vector
At the heart of the attack was the exploitation of the BAV2ROPC protocol, a legacy system designed to help applications transition to OAuth 2.0. This protocol allows applications to bypass traditional authentication processes by directly submitting username and password credentials to Entra ID. Entra ID then issues access tokens without triggering MFA or Conditional Access evaluations.
The use of BAV2ROPC effectively bypasses the usual security alerts associated with login attempts, making it a silent and stealthy method for lateral movement within compromised systems. Once attackers have obtained initial credentials, often through phishing, they can use BAV2ROPC to gain further access without raising alarms.
Targeting Administrative Accounts
The attackers focused heavily on administrative accounts. In one instance, researchers recorded nearly 10,000 login attempts from 432 different IP addresses targeting these high-privilege accounts within just eight hours, demonstrating the highly automated and distributed nature of the campaign.
This attack highlights the ongoing risks posed by legacy authentication protocols and underscores the need for organizations to phase them out in favor of more secure, modern methods. As cyber threats continue to evolve, enterprises must prioritize securing their authentication systems to prevent similar attacks.
