A sophisticated cyber campaign targeting Microsoft Entra ID was uncovered, running between March 18 and April 7, 2025. The attackers exploited legacy authentication protocols, specifically BAV2ROPC, SMTP AUTH, POP3, and IMAP4, to bypass modern security measures like Multi-Factor Authentication (MFA) and Conditional Access policies. These outdated methods, although deprecated by Microsoft, remain active in many organizations due to business continuity needs, inadvertently creating dangerous entry points for threat actors.

Researchers observed a highly coordinated effort using automated credential spraying and brute-force techniques aimed at exploiting these legacy endpoints. Over 9,000 suspicious login attempts were logged during the campaign, with a spike of 8,534 attempts in a single day between April 4–7. The attacks were globally distributed, originating mainly from Eastern Europe and the Asia-Pacific region. The campaign began with low-volume reconnaissance, escalating over time into aggressive, sustained activity primarily targeting Exchange Online, an indicator of intent to access sensitive emails and authentication tokens.

Central to the attackers’ strategy was the use of the BAV2ROPC protocol, which allows applications to bypass traditional user authentication processes by sending credentials directly to Entra ID in a non-interactive way. This mechanism issues access tokens without triggering MFA or Conditional Access policies, making it an effective backdoor. Its stealthy nature avoids generating user alerts or login prompts, allowing attackers to operate without detection, especially after harvesting credentials through phishing or other initial access methods.

One of the most alarming aspects of the campaign was its scale and focus on administrative accounts. A particular subset of accounts experienced nearly 10,000 login attempts from 432 unique IP addresses in just eight hours, showcasing the automated and distributed nature of the attack. This campaign underscores the critical risk posed by maintaining legacy protocols and highlights the urgent need for organizations to disable outdated authentication methods to close exploitable security gaps.