Guardz researchers have uncovered a sophisticated cyberattack targeting legacy authentication protocols in Microsoft Entra ID, active from March 18 to April 7. The cyber campaign exploited outdated authentication methods still in use by many organizations, allowing attackers to bypass security measures such as Multi-Factor Authentication (MFA) and Conditional Access policies. Despite Microsoft’s efforts to phase out protocols like BAV2ROPC, SMTP AUTH, POP3, and IMAP4, they remain in use due to technical challenges and business continuity needs, creating vulnerabilities.
The attackers implemented automated credential spraying and brute-force techniques, primarily targeting Exchange Online accounts. Their activities showed an increase in attempts during a peak phase between April 4-7, with 8,534 attempts recorded in a single day. Most of these attacks originated from Eastern Europe and the Asia-Pacific region, aiming at administrative accounts to access sensitive information and authentication tokens.
Central to the campaign was the exploitation of BAV2ROPC, a protocol enabling applications to shift to OAuth 2.0. This allowed attackers to convert credentials to tokens, bypassing normal authentication flows and avoiding MFA or Conditional Access challenges. With a focus on email communications, the attackers aimed to obtain sensitive data. The discoveries underline the urgent need for organizations to retire outdated protocols and bolster security measures to combat sophisticated cyber threats effectively.
