CISA Emergency Directive 26-01: Microsoft Entra ID MFA Bypass
CISA Emergency Directive 26-01 mandates the immediate remediation of a critical MFA bypass vulnerability in Microsoft Entra ID. Threat actors exploited the legacy Resource Owner Password Credentials (ROPC) OAuth 2.0 flow via the Azure CLI to conduct high-volume password spraying. This vector bypasses Conditional Access (CA) policies and MFA challenges by utilizing non-interactive authentication. Between June 12 and June 26, 2026, over 81 million login attempts were recorded, resulting in the compromise of 78+ accounts across 64 organizations. Immediate remediation requires the total disablement of the ROPC flow or its restriction to isolated service accounts to secure the cloud identity perimeter.
Nation-State Weaponization of ROADtools for Entra ID Identity Abuse
Nation-state actors, including APT29 (Midnight Blizzard), APT33 (Curious Serpens), and UTA0355, are weaponizing the open-source ROADtools framework to compromise Microsoft Entra ID environments. Attackers exploit permissive Intune enrollment settings and poor identity hygiene to register rogue, attacker-controlled devices as legitimate corporate assets via administrative API calls. This process allows the acquisition of Primary Refresh Tokens (PRTs), which enable the bypass of Multi-Factor Authentication (MFA) by satisfying Conditional Access policies that trust managed devices. This technique provides high-persistence cloud access and allows malicious activity to blend with standard administrative operations, facilitating stealthy lateral movement and data exfiltration.