CyberSecurityBoard
Sponsor Register Login

Hackers Exploiting Legacy Protocols in Microsoft Entra ID to Bypass MFA & Conditional Access

These tactics allowed threat actors to bypass Multi-Factor Authentication (MFA) and Conditional Access policies-two critical security measures organizations rely on to protect their digital assets. Legacy authentication protocols, including BAV2ROPC, SMTP AUTH, POP3, and IMAP4, remain vulnerable targets due to their inherent lack of modern security features. When an application leverages BAV2ROPC, it simply sends credentials to Entra ID, which then issues tokens without user interaction, completely bypassing the normal authentication flow that would trigger MFA challenges or Conditional Access evaluations. The attackers specifically exploited outdated authentication methods to circumvent modern security controls, creating a concerning backdoor into enterprise environments. A sophisticated campaign targeting Microsoft Entra ID through legacy authentication protocols has been uncovered, operating between March 18 and April 7, 2025. Most concerning was the finding that approximately 90 percent of these attacks specifically targeted Exchange Online, indicating a deliberate strategy to access email communications and potentially harvest sensitive information and authentication tokens. This process occurs without displaying any login screens or generating the security alerts that would normally accompany authentication attempts. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The implementation works through a direct credential submission where the application code sends the username and password credentials directly to the authentication service. Notably, the attackers focused heavily on administrative accounts, with one subset receiving nearly 10,000 attempts from 432 different IP addresses within just 8 hours, demonstrating the highly automated and distributed nature of the campaign. This technical debt creates a significant security gap that malicious actors are increasingly targeting with sophisticated attacks. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. The research team documented over 9,000 suspicious Exchange login attempts within the three-week period, with attacks originating primarily from Eastern Europe and Asia-Pacific regions. While Microsoft has deprecated or disabled many of these outdated methods, numerous organizations continue to maintain them for business continuity reasons or to support legacy systems. The silent nature of this protocol makes it particularly dangerous as a lateral movement technique once initial credentials have been compromised through phishing or other means.

This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 12 May 2025 10:35:09 +0000


Cyber News related to Hackers Exploiting Legacy Protocols in Microsoft Entra ID to Bypass MFA & Conditional Access

Microsoft Incident Response lessons on preventing cloud identity compromise - Microsoft Incident Response is often engaged in cases where organizations have lost control of their Microsoft Entra ID tenant, due to a combination of misconfiguration, administrative oversight, exclusions to security policies, or insufficient ...
1 year ago Microsoft.com
How to manage a migration to Microsoft Entra ID - Microsoft Entra ID, formerly Azure Active Directory, is not a direct replacement for on-premises Active Directory due to feature gaps and alternative ways to perform similar identity and access management tasks. For some organizations, a move to ...
1 year ago Techtarget.com
WebAuthn Conditional UI - Despite its recent introduction and ongoing adoption by browsers, there's a noticeable gap in technical documentation and implementation advice for Conditional UI. This article aims to bridge that gap by explaining what Conditional UI is, how it ...
1 year ago Feeds.dzone.com
How to secure on-prem apps with Entra Application Proxy - If your internal web applications are still internet-facing, then it's time to move away from turning your firewall into Swiss cheese just to externalize apps for your users. To reduce the attack surface, a traditional method, such as a VPN, has its ...
1 year ago Techtarget.com
New Microsoft Incident Response guides help security teams analyze suspicious activity - Today Microsoft Incident Response are proud to introduce two one-page guides to help security teams investigate suspicious activity in Microsoft 365 and Microsoft Entra. These guides contain the artifacts that Microsoft Incident Response hunts for ...
1 year ago Microsoft.com
Microsoft will roll out MFA-enforcing policies for admin portal access - Microsoft will soon start rolling out Conditional Access policies requiring multifactor authentication from administrators when signing into Microsoft admin portals such as Microsoft Entra, Microsoft 365, Exchange, and Azure. The company will also ...
1 year ago Bleepingcomputer.com
What is adaptive multifactor authentication? - Adaptive multifactor authentication is a security mechanism intended to authenticate and authorize users through a variety of contextual authentication factors. Adaptive MFA essentially poses different sets of authentication requirements based on the ...
1 year ago Techtarget.com
Hackers Exploiting Legacy Protocols in Microsoft Entra ID to Bypass MFA & Conditional Access - These tactics allowed threat actors to bypass Multi-Factor Authentication (MFA) and Conditional Access policies-two critical security measures organizations rely on to protect their digital assets. Legacy authentication protocols, including BAV2ROPC, ...
1 month ago Cybersecuritynews.com
Iranian Hackers Developed a New Backdoor to Hack Windows - Peach Sandstorm, an Iranian Hackers group, targets diverse sectors globally, and this group is linked to:-. Using password spray campaigns, Peach Sandstorm exhibits opportunistic behavior, with a history of relying on this tactic. This custom ...
1 year ago Cybersecuritynews.com
5 ways to secure identity and access for 2024 - 1 This increase is due in part to the rise of generative AI and large language models, which bring new opportunities and challenges for security professionals while affecting what we must do to secure access effectively. Learn how unified multicloud ...
1 year ago Microsoft.com
MFA and supply chain security: It's no magic bullet - With attackers increasingly targeting developer accounts and using them to poison software builds, manipulate code, and access secrets and data, development teams are under pressure to lock down their development environments. Attackers are targeting ...
1 year ago Securityboulevard.com
Microsoft to start enforcing Azure multi-factor authentication in July - Starting in July, Microsoft will begin gradually enforcing multi-factor authentication for all users signing into Azure to administer resources. After first completing the rollout for the Azure portal, the MFA enforcement will see a similar rollout ...
1 year ago Bleepingcomputer.com Black Basta
Misconfigured MFA Increasingly Targeted by Cybercriminals - In the first quarter of 2024, nearly half of all security incidents our team responded to involved multi-factor authentication issues, according to the latest Cisco Talos report. A quarter of these incidents were caused by users accepting fraudulent ...
11 months ago Securityboulevard.com
Microsoft Addresses Entra ID Token Logging Issue, Alerts to Protect Users - Microsoft has acknowledged a recent issue that triggered widespread alerts in its Entra ID Protection system, flagging user accounts as high risk due to supposed credential leaks on the dark web. The alerts have been attributed to a combination of an ...
2 months ago Cybersecuritynews.com
MFA vs 2FA: Which Is Best for Your Business? - If a user falls for a phishing scam and their credentials are compromised, multi-factor authentication or two-factor authentication provide an additional safeguard against a breach. MFA uses authentication factors such as a pin, an SMS code, an ...
1 year ago Techrepublic.com
Microsoft Breach - How Can I See This In BloodHound? - On January 25, 2024, Microsoft announced Russia's foreign intelligence service breached their corporate EntraID environment. We reviewed the information Microsoft's team provided in their post which contained details significant enough to explain ...
1 year ago Securityboulevard.com
CVE-2021-36845 - Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities in YITH Maintenance Mode (WordPress plugin) versions < 1.3.8, there are 46 vulnerable parameters that were missed by the vendor while patching the 1.3.7 version to 1.3.8. ...
3 years ago
Researchers Find Way to Bypass Phishing-Resistant MFA in Microsoft Entra ID - Cyber Security News - Cybersecurity researchers have uncovered a sophisticated technique to bypass Microsoft’s phishing-resistant multi-factor authentication (MFA) by exploiting the device code authentication flow and Primary Refresh Tokens (PRTs). The current ...
1 month ago Cybersecuritynews.com
Microsoft reveals how hackers breached its Exchange Online accounts - Microsoft confirmed that the Russian Foreign Intelligence Service hacking group, which hacked into its executives' email accounts in November 2023, also breached other organizations as part of this malicious campaign. On January 12, 2024, Microsoft ...
1 year ago Bleepingcomputer.com APT29
Botnet targets Basic Auth in Microsoft 365 password spray attacks - SecurityScorecard also highlights that you may be able to see signs of the password-spray attacks in Entra ID logs, which will show increased login attempts for non-interactive logins, multiple failed login attempts from different IPs, and the ...
3 months ago Bleepingcomputer.com
Microsoft fixes Entra ID authentication issue caused by DNS change - "Between 17:18 UTC and 18:35 UTC on 25 February 2025, customers attempting to authenticate with Microsoft Entra ID using the Seamless SSO and Microsoft Entra Connect Sync features may have experienced DNS resolution failures when trying to access ...
3 months ago Bleepingcomputer.com
Threat Actors Bypass MFA Using AiTM Attack via Reverse Proxies - Multi-factor authentication (MFA) has long been touted as a robust security measure against phishing attacks, but sophisticated threat actors have developed new techniques to circumvent these protections. Rather than simply creating fake landing ...
1 month ago Cybersecuritynews.com
How Strata Identity and Microsoft Entra ID solve identity challenges in mergers and acquisitions - In particular, there is an immediate and profound impact on the identity and access management postures of both companies. While most combined organizations aspire to eventually consolidate their identity systems, this is a challenging and ...
1 year ago Microsoft.com
Microsoft: Hackers steal emails in device code phishing attacks - "The invitations lure the user into completing a device code authentication request emulating the experience of the messaging service, which provides Storm-2372 initial access to victim accounts and enables Graph API data collection activities, such ...
4 months ago Bleepingcomputer.com
Badge Makes Device-Independent Authentication Platform Available - Badge Inc. today announced that a namesake platform that enables end users to securely be authenticated on-demand using any device is now generally available. The company has allied with Okta to provide integration with an identity access management ...
1 year ago Securityboulevard.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)