A recent cybersecurity campaign has cast a spotlight on an old problem in a new era- legacy authentication. Between March and April 2025, attackers exploited a flaw in Microsoft Entra ID’s legacy login mechanism, allowing them to bypass Multi-Factor Authentication (MFA) and gain unauthorized access to critical administrator accounts across the finance, healthcare, manufacturing, and technology sectors.
This vulnerability wasn’t the result of a zero-day exploit or novel malware, but rather the abuse of a long-standing authentication protocol that should have been retired years ago.
The Weak Link: Legacy Login in a Modern Cloud
Guardz, a cybersecurity firm, identified that attackers were abusing Basic Authentication Version 2- Resource Owner Password Credential (BAV2ROPC), a protocol originally intended to support older applications in Microsoft Entra ID (formerly Azure Active Directory). Unlike modern authentication flows that demand MFA and user presence, BAV2ROPC operates silently in the background. It does not trigger MFA, ignores Conditional Access Policies, and skips alerting mechanisms.
That makes it the perfect door for attackers- quiet, unnoticed, and wide open.
Anatomy of the Attack
The attack unfolded in two distinct phases:
- Initialization Phase (March 18- 20): A modest probing effort, averaging 2,709 suspicious login attempts daily, likely intended to identify vulnerable endpoints.
- Sustained Attack Phase (March 21- April 3): Activity surged to over 6,444 daily attempts- a 138% increase. Attackers focused heavily on admin accounts, with one instance receiving nearly 10,000 login attempts from over 430 IP addresses within eight hours.
The attackers used brute-force and credential-stuffing techniques, often targeting Exchange Online and Microsoft Authentication Library endpoints. Their efforts were geographically concentrated in Eastern Europe and the Asia-Pacific region.
Why It Matters
This isn’t the first time Microsoft Entra ID has come under scrutiny. Just weeks prior, a separate incident caused widespread account lockouts due to internal issues. But this campaign, unlike the former, wasn’t an accident. It was a deliberate and methodical exploitation of outdated technology still embedded in critical infrastructure.
For organizations relying on legacy protocols like BAV2ROPC, POP3, IMAP4, and SMTP AUTH for backward compatibility, the risk is now undeniable. These protocols offer attackers an almost invisible way in, bypassing every modern defense put in place.
A Wake-Up Call for Modernization
While this specific campaign has reportedly ended, the vulnerability it exposed still lingers in many organizations. Attackers have proven that they don’t need to break down doors when a forgotten side entrance is left unlocked.
To mitigate such threats, organizations must:
- Audit and disable all legacy authentication protocols
- Mandate MFA for all users
- Apply Conditional Access Policies to block unsupported authentication flows
- Monitor login activity aggressively for unusual patterns
This incident is a clear reminder that modernization isn’t just about innovation- it’s about survival.
Conclusion
The exploitation of Microsoft Entra ID’s legacy login methods shows how modern security infrastructure can be undermined by outdated components. It’s time for organizations across industries to stop treating legacy authentication as a harmless relic and start seeing it for what it really is- a hidden backdoor.
Retiring legacy protocols is no longer optional. It’s a critical step toward securing your digital perimeter.
About COE Security
COE Security partners with organizations in financial services, healthcare, retail, manufacturing, and government to secure AI-powered systems and ensure compliance.
In light of emerging threats like legacy authentication abuse, COE Security also helps clients:
- Identify and disable insecure legacy protocols across cloud infrastructure
- Implement zero-trust access models
- Monitor user access behavior with AI-driven threat intelligence
- Harden identity and access management (IAM) configurations
- Provide incident response and red-teaming focused on access layer threats
Our offerings include:
- AI-enhanced threat detection and real-time monitoring
- Data governance aligned with GDPR, HIPAA, and PCI DSS
- Secure model validation to guard against adversarial attacks
- Customized training to embed AI security best practices
- Penetration Testing (Mobile, Web, AI, Product, IoT, Network & Cloud)
- Secure Software Development Consulting (SSDLC)
- Customized CyberSecurity Services