A sophisticated campaign targeting Microsoft Entra ID through legacy authentication protocols has been uncovered, operating between March 18 and April 7, 2025.
The attackers specifically exploited outdated authentication methods to circumvent modern security controls, creating a concerning backdoor into enterprise environments.
These tactics allowed threat actors to bypass Multi-Factor Authentication (MFA) and Conditional Access policies-two critical security measures organizations rely on to protect their digital assets.
.png
)
Legacy authentication protocols, including BAV2ROPC, SMTP AUTH, POP3, and IMAP4, remain vulnerable targets due to their inherent lack of modern security features.
While Microsoft has deprecated or disabled many of these outdated methods, numerous organizations continue to maintain them for business continuity reasons or to support legacy systems.
This technical debt creates a significant security gap that malicious actors are increasingly targeting with sophisticated attacks.
Guardz researchers identified a coordinated campaign that revealed alarming patterns across dozens of unique IP addresses.
Their analysis showed evidence of automated credential spraying and brute-force techniques specifically designed to exploit these legacy endpoints.
The research team documented over 9,000 suspicious Exchange login attempts within the three-week period, with attacks originating primarily from Eastern Europe and Asia-Pacific regions.
The campaign demonstrated careful planning and execution, beginning with low-volume reconnaissance activities before escalating to sustained daily attacks.
The operation reached its peak intensity between April 4-7, when researchers recorded 8,534 attempts in a single day.
Most concerning was the finding that approximately 90 percent of these attacks specifically targeted Exchange Online, indicating a deliberate strategy to access email communications and potentially harvest sensitive information and authentication tokens.
Understanding BAV2ROPC: The Technical Backdoor
At the center of this campaign was the exploitation of BAV2ROPC (Basic Authentication Version 2, Resource Owner Password Credential), a legacy protocol originally designed to help applications transition to OAuth 2.0.
The protocol functions by converting traditional username and password logins into token-based access through a non-interactive process.
When an application leverages BAV2ROPC, it simply sends credentials to Entra ID, which then issues tokens without user interaction, completely bypassing the normal authentication flow that would trigger MFA challenges or Conditional Access evaluations.
The implementation works through a direct credential submission where the application code sends the username and password credentials directly to the authentication service.
This process occurs without displaying any login screens or generating the security alerts that would normally accompany authentication attempts.
The silent nature of this protocol makes it particularly dangerous as a lateral movement technique once initial credentials have been compromised through phishing or other means.
Notably, the attackers focused heavily on administrative accounts, with one subset receiving nearly 10,000 attempts from 432 different IP addresses within just 8 hours, demonstrating the highly automated and distributed nature of the campaign.
Are you from the SOC and DFIR Teams? – Analyse Real time Malware Incidents with ANY.RUN -> Start Now for Free.
