Guardz, a cybersecurity company focused on empowering Managed Service Providers (MSPs) and IT professionals, has recently uncovered a sophisticated attack campaign targeting outdated authentication protocols in Microsoft Entra ID. The campaign, detected by Guardz’s Research Unit (GRU), exploited legacy authentication methods, especially BAV2ROPC, to bypass modern security measures like Multi-Factor Authentication (MFA) and Conditional Access Policies. The attack, which was active from March 18 to April 7, 2025, serves as a warning to businesses that have not fully modernized their authentication frameworks.
About the Attack Campaign
Guardz identified a series of over 9,000 suspicious login attempts from IP addresses across Eastern Europe and the Asia-Pacific region, indicating a globally coordinated attack. Attackers used automation, IP rotation, and advanced tooling to test security controls and gain unauthorized access, particularly targeting Exchange Online. The attack unfolded in two phases:
- Initialization (March 18-20): Low-intensity probing with approximately 2,709 attempts per day.
- Sustained Attack (March 21-April 3): A spike to over 6,444 attempts per day, marking a shift to aggressive exploitation.
Exploiting Legacy Authentication Protocols
The attackers targeted Basic Authentication Version 2 – Resource Owner Password Credential (BAV2ROPC), a legacy compatibility mechanism in Microsoft Entra ID. BAV2ROPC allows legacy applications to authenticate with usernames and passwords, bypassing modern interactive login flows that enforce MFA and security checks. This non-interactive method allows attackers to circumvent MFA, Conditional Access Policies, and login alerts, making it a critical vulnerability.
Guardz’s AI-Powered Detection
Guardz tracked the attack using AI-driven research and internal systems designed to detect anomalous behavior. Thousands of simultaneous actions were executed by AI agents alongside human researchers, identifying patterns across IPs, geographies, and attack tools. This collaboration enabled Guardz to efficiently track the evolving attack in real-time.
Call to Action for Organizations
Guardz urges all organizations to take immediate action to mitigate risks associated with legacy authentication methods. The company recommends the following steps:
- Audit and disable outdated authentication protocols such as BAV2ROPC.
- Enforce modern authentication and MFA across all accounts.
- Implement Conditional Access Policies to block unsupported authentication methods like ROPC.
- Monitor login activity for unusual patterns, such as failed authentication attempts.
Supporting Small Businesses
Recognizing that small businesses often lack the infrastructure of larger enterprises, Guardz bridges the cybersecurity gap with its AI-powered platform, offering identity protection, email security, threat detection, and automated incident response designed for small organizations.
Additional Resources:
- Learn more about Guardz’s AI-driven cybersecurity platform
- Discover how to mitigate risks from legacy authentication protocols
- Explore more about Microsoft Entra ID and its security challenges
