Between March 18 and April 7, 2025, Guardz Research tracked a targeted campaign exploiting legacy authentication protocols in Microsoft Entra ID. At the center of this operation was BAV2ROPC, a legacy login method that lets attackers sidestep modern defenses like Multi-Factor Authentication (MFA) and Conditional Access.
These attacks were not random. They were systematic, automated, and coordinated across the global infrastructure. The only thing that stopped them was a strong configuration. If your environment still allows legacy authentication, you are a sitting target.
Why Legacy Authentication Still Poses a Risk
Legacy authentication methods, such as BAV2ROPC, SMTP AUTH, POP3, and IMAP4, lack modern security features. These protocols bypass MFA, ignore Conditional Access, and enable silent, non-interactive logins. In short, they create a hidden backdoor into your environment.
Microsoft has deprecated or disabled most of these protocols, but many tenants still rely on them for business continuity or due to outdated systems. That reliance is exactly what attackers are counting on.
What Is BAV2ROPC?
BAV2ROPC stands for “Basic Authentication Version 2, Resource Owner Password Credential.” It was designed to help legacy apps transition to OAuth 2.0 by converting username and password-based logins into token-based access.
Here’s how it works:
- The app sends a username and password to Entra ID
- Entra ID issues tokens without user interaction
- No login screen, no MFA challenge, no alerts
BAV2ROPC is often triggered by outdated mail clients, automated scripts, or stolen credentials, making it a favorite tool in the attacker’s playbook
Attack Campaign Breakdown
The threat actors behind this campaign showed a deep understanding of identity systems. Their attacks were:
- Coordinated across dozens of unique IPs
- Automated with credential spraying and brute-force tactics
- Focused on legacy endpoints that remain exposed in many environments
Key Findings:
- Over 9,000 suspicious Exchange login attempts were observed in a short time
- Attacks originated primarily from Eastern Europe and the Asia-Pacific region
- Clear evidence of distributed infrastructure and IP rotation
The campaign followed a structured timeline:
- Initial Probing (March 18–20): Low volume, targeted reconnaissance
- Sustained Attacks (March 21–April 3): Consistent daily volume with strategic bursts
- Intensification (April 4–7): Major spike in attempts, peaking at 8,534 on April 5
How the Attacks Worked
The attackers targeted several legacy authentication vectors:
- OAuth Legacy Flow: 12,221 attempts
- Password Authentication (Value: 16): 28,150 attempts
- Basic Authentication (Value: 1): 27,332 attempts
- Legacy Exchange (Value: 8): 21,080 attempts
More than 90 percent of attacks targeted Exchange Online and the Microsoft Authentication Library. These were not random hits. They were calculated moves to access email, identities, and session tokens.
Admin accounts were a specific focus. One subset received nearly 10,000 attempts from 432 IPs within 8 hours. That level of automation reveals a campaign built to breach and escalate fast.
- Share On:
