← Back to Daily Briefing

CISA Emergency Directive 26-01 mandates the immediate remediation of a critical MFA bypass vulnerability in Microsoft Entra ID. Threat actors exploited the legacy Resource Owner Password Credentials (ROPC) OAuth 2.0 flow via the Azure CLI to conduct high-volume password spraying. This vector bypasses Conditional Access (CA) policies and MFA challenges by utilizing non-interactive authentication. Between June 12 and June 26, 2026, over 81 million login attempts were recorded, resulting in the compromise of 78+ accounts across 64 organizations. Immediate remediation requires the total disablement of the ROPC flow or its restriction to isolated service accounts to secure the cloud identity perimeter.

  • Exploitation Vector: ROPC Flow Abuse

    • Abuses the legacy Resource Owner Password Credentials (ROPC) OAuth 2.0 flow to exchange credentials directly for access tokens.
    • Eliminates the interactive login prompt, effectively bypassing MFA triggers and Conditional Access (CA) policies.
    • Utilized the Azure CLI to automate password spraying at scale against cloud identity perimeters.
  • Attack Scale and Impact

    • Observed 81 million unauthorized login attempts targeting Microsoft 365 and Azure tenants.
    • Confirmed compromise of 78+ accounts across at least 64 distinct organizations.
    • Primary exploitation window identified between June 12 and June 26, 2026.
  • Detection and Technical Artifacts

    • Sign-in logs showing "MFA requirement satisfied" without a corresponding successful MFA challenge event.
    • Audit logs indicating unauthorized modifications to MFA settings or the creation of new authentication methods.
    • Identification of specific IP addresses and user-agent strings linked to ROPC-based bypass toolsets.
  • CISA Directive 26-01 Mandates

    • Requires federal agencies to immediately disable legacy authentication paths to prevent identity perimeter breaches.
    • Mandates the removal of ROPC flow capabilities or strict limitation to isolated, monitored service accounts.
    • Focuses on bridging the "security gap" where organizations assume global MFA is active while legacy protocols remain enabled.
  • Strategic Remediation and Defense

    • Transition to phishing-resistant MFA standards, such as FIDO2 and Windows Hello for Business.
    • Audit all enabled OAuth flows and Entra ID authentication methods to identify and remove legacy debt.
    • Configure Conditional Access policies to explicitly block all legacy authentication protocols.
  • Operational Risk Management

    • Coordinate with FedRAMP to ensure cloud compliance and rapid response across federal tenants.
    • Secure "break-glass" Emergency Access Accounts (EAA) to prevent lockouts while restricting ROPC.
    • Implement strict exclusion lists and secure credential storage for EAAs to avoid introducing new vulnerabilities.

LINK COPIED TO CLIPBOARD