A significant flaw in Microsoft Entra ID's legacy login system has been exploited to bypass Multi-Factor Authentication (MFA), specifically targeting admin accounts across finance, healthcare, and technology sectors.

Cybersecurity firm Guardz uncovered these attacks, which occurred between mid-March and early April 2025, utilizing Basic Authentication Version 2 – Resource Owner Password Credential (BAV2ROPC).

The attack unfolded in two distinct phases: an 'Initialization' phase from March 18 to 20, averaging 2,709 suspicious login attempts daily, followed by a 'Sustained Attack' phase from March 21 to April 3, where attempts surged to over 6,444 per day.

Guardz tracked more than 9,000 suspicious login attempts, primarily originating from Eastern Europe and the Asia-Pacific region, employing automated credential spraying and brute-force tactics.

Notably, over 90% of these attacks targeted Exchange Online and the Microsoft Authentication Library, with a striking focus on administrator accounts, including nearly 10,000 attempts from 432 different IP addresses within just eight hours.

The use of BAV2ROPC, a legacy login method, underscores the vulnerabilities associated with outdated authentication methods in cloud environments, allowing attackers to circumvent modern security measures.

Despite the attack campaign subsiding, Guardz warns that vulnerabilities persist in organizations still relying on legacy authentication protocols like BAV2ROPC, SMTP AUTH, POP3, and IMAP4, which create hidden backdoors that can bypass MFA and conditional access.

To mitigate these risks, organizations are strongly urged to audit and disable legacy authentication, enforce modern authentication with MFA, implement conditional access policies, and actively monitor for unusual login activity.

Guardz CEO Dor Eisner has emphasized the urgent need to retire outdated technologies to enhance protection against evolving cyber threats.

This incident follows a separate report from April 2025 regarding Microsoft Entra ID account lockouts caused by an internal Microsoft error, contrasting sharply with the deliberate exploitation detailed by Guardz.

The campaign's impact was felt across various sectors, including financial services, healthcare, manufacturing, and technology services, as reported by Guardz to Hackread.com.