CISA Emergency Directive 26-01 mandates the immediate remediation of a critical MFA bypass vulnerability in Microsoft Entra ID. Threat actors exploited the legacy Resource Owner Password Credentials (ROPC) OAuth 2.0 flow via the Azure CLI to conduct high-volume password spraying. This vector bypasses Conditional Access (CA) policies and MFA challenges by utilizing non-interactive authentication. Between June 12 and June 26, 2026, over 81 million login attempts were recorded, resulting in the compromise of 78+ accounts across 64 organizations. Immediate remediation requires the total disablement of the ROPC flow or its restriction to isolated service accounts to secure the cloud identity perimeter.
-
Exploitation Vector: ROPC Flow Abuse
- Abuses the legacy Resource Owner Password Credentials (ROPC) OAuth 2.0 flow to exchange credentials directly for access tokens.
- Eliminates the interactive login prompt, effectively bypassing MFA triggers and Conditional Access (CA) policies.
- Utilized the Azure CLI to automate password spraying at scale against cloud identity perimeters.
-
Attack Scale and Impact
- Observed 81 million unauthorized login attempts targeting Microsoft 365 and Azure tenants.
- Confirmed compromise of 78+ accounts across at least 64 distinct organizations.
- Primary exploitation window identified between June 12 and June 26, 2026.
-
Detection and Technical Artifacts
- Sign-in logs showing "MFA requirement satisfied" without a corresponding successful MFA challenge event.
- Audit logs indicating unauthorized modifications to MFA settings or the creation of new authentication methods.
- Identification of specific IP addresses and user-agent strings linked to ROPC-based bypass toolsets.
-
CISA Directive 26-01 Mandates
- Requires federal agencies to immediately disable legacy authentication paths to prevent identity perimeter breaches.
- Mandates the removal of ROPC flow capabilities or strict limitation to isolated, monitored service accounts.
- Focuses on bridging the "security gap" where organizations assume global MFA is active while legacy protocols remain enabled.
-
Strategic Remediation and Defense
- Transition to phishing-resistant MFA standards, such as FIDO2 and Windows Hello for Business.
- Audit all enabled OAuth flows and Entra ID authentication methods to identify and remove legacy debt.
- Configure Conditional Access policies to explicitly block all legacy authentication protocols.
-
Operational Risk Management
- Coordinate with FedRAMP to ensure cloud compliance and rapid response across federal tenants.
- Secure "break-glass" Emergency Access Accounts (EAA) to prevent lockouts while restricting ROPC.
- Implement strict exclusion lists and secure credential storage for EAAs to avoid introducing new vulnerabilities.