Guardz Uncovers Sophisticated Campaign Exploiting Legacy Authentication in Microsoft Entra ID
The Guardz Research Unit uncovered a coordinated cyber campaign using outdated login methods to bypass MFA and infiltrate cloud environments by attempting to exploit basic authentication protocols
The campaign has since subsided, but Guardz warns that vulnerability continues to exist in many environments, posing a critical risk to organizations that have not yet fully modernized their authentication frameworks. Sectors that were identified as being disproportionately targeted by this vulnerability include financial services, healthcare, manufacturing, and technology services.
"This campaign is a wake-up call—not just about one vulnerability, but about the broader need to retire outdated technologies that no longer serve today's threat landscape," said
Guardz detected over 9,000 suspicious login attempts from distributed IP addresses, primarily originating in
The attack unfolded in two major phases:
- Initialization (
March 18-20 ): Low-intensity probing with approximately 2,709 attempts per day. - Sustained Attack (
March 21-April 3 ): Spiking to over 6,444 attempts per day – a 138% increase – marking a move to aggressive exploitation.
Guardz tracked this progression using new AI-driven research methods and internal systems designed to continuously hunt for anomalous behavior and active threat campaigns on the dark web. The company's AI agents executed thousands of actions in tandem with human GRU researchers, identifying patterns across IPs, geographies, and attack tools.
The campaign zeroed in on Basic Authentication Version 2 – Resource Owner Password Credential (BAV2ROPC), a behind-the-scenes compatibility mechanism in Entra ID that allows legacy applications to authenticate using usernames and passwords. Unlike modern, interactive login flows that enforce MFA and security checks, BAV2ROPC operates non-interactively and bypasses MFA, Conditional Access Policies, and login alerts and user presence verification.
Guardz urges all organizations to immediately mitigate risks from legacy authentication by auditing and disabling outdated protocols, enforcing modern authentication and MFA across all accounts, implementing conditional access policies to block unsupported flows like ROPC, and closely monitoring for unusual login activity or failed authentication patterns.
Recognizing that small businesses often lack the in-house teams and infrastructure available to larger enterprises, Guardz bridges this gap with its AI-powered cybersecurity platform that delivers identity protection, email security, threat detection, and automated incident response, purpose-built for the needs of small organizations.
To explore Guardz's findings on the legacy authentication attack campaign and how its platform defends against such threats, read the full research blog here.
About Guardz
Guardz provides MSPs and IT professionals with an AI-powered cybersecurity platform designed to secure and insure SMBs against cyberattacks. The Guardz platform offers automatic detection and response, protecting users, emails, devices, cloud directories, and data. By simplifying cybersecurity management, Guardz enables businesses to focus on growth without being bogged down by security complexities. The company's scalable and cost-effective pricing model ensures comprehensive protection for all digital assets, facilitating rapid deployment and business expansion.
Media Contact
[email protected]
+1 323 283 8176
View original content:https://www.prnewswire.com/news-releases/guardz-uncovers-sophisticated-campaign-exploiting-legacy-authentication-in-microsoft-entra-id-302448704.html
SOURCE Guardz
Serious News for Serious Traders! Try StreetInsider.com Premium Free!
You May Also Be Interested In
- Decoy Therapeutics Stockholders Elect Patricia Gauthier to Board of Directors
- KU Medical Center Academic Leader Named Provost at Kansas City University
- INDULGE IN DELECTABLE SKINCARE WITH KIEHL'S X MILK BAR LIMITED-EDITION BODY CARE
Create E-mail Alert Related Categories
PRNewswire, Press ReleasesSign up for StreetInsider Free!
Receive full access to all new and archived articles, unlimited portfolio tracking, e-mail alerts, custom newswires and RSS feeds - and more!



Tweet
Share