MFA circumvented through legacy login flaw

A recent breach exploited a legacy login flaw in Microsoft Entra ID, allowing attackers to bypass multi-factor authentication (MFA) and target administrator accounts across critical sectors like finance, healthcare, and technology, Hackread reports.

Cybersecurity firm Guardz reported that between March 18 and April 7, 2025, attackers used the outdated BAV2ROPC protocol, which bypasses MFA and modern protections by enabling non-interactive logins through basic credentials. The campaign escalated quickly, with daily login attempts rising from around 2,700 to over 6,400, ultimately exceeding 9,000 across Exchange Online and Microsoft Authentication Library endpoints. Admin accounts faced intense targeting, including one case of nearly 10,000 login attempts from 432 IPs in just eight hours. Most attempts originated from Eastern Europe and the Asia-Pacific region. Though the attack has subsided, Guardz warns that legacy protocols like BAV2ROPC continue to expose organizations to risk. CEO Dor Eisner described the breach as “a wake-up call” for companies to eliminate outdated login methods and enforce modern authentication practices.