Industrialcyber • 2h
CISA Emergency Directive 26-01: Microsoft Entra ID MFA Bypass
CISA Emergency Directive 26-01 mandates the immediate remediation of a critical MFA bypass vulnerability in Microsoft Entra ID. Threat actors exploited the legacy Resource Owner Password Credentials (ROPC) OAuth 2.0 flow via the Azure CLI to conduct high-volume password spraying. This vector bypasses Conditional Access (CA) policies and MFA challenges by utilizing non-interactive authentication. Between June 12 and June 26, 2026, over 81 million login attempts were recorded, resulting in the compromise of 78+ accounts across 64 organizations. Immediate remediation requires the total disablement of the ROPC flow or its restriction to isolated service accounts to secure the cloud identity perimeter.
Links:Industrialcyber, Cisa, Findings, Abcbyd, Techcommunity, Threatscape, Afcea, Fedramp, Optiv, Learn •