Threat Research

When Passwords Win: A Deep Dive into ROPC-Enabled MFA Bypasses 

Varonis
When Passwords Win: A Deep Dive into ROPC-Enabled MFA Bypasses 

Attackers can bypass MFA by abusing the OAuth 2.0 Resource Owner Password Credentials (ROPC) flow to exchange stolen usernames and passwords for tokens while impersonating pre-approved public client application IDs in Microsoft Entra ID tenants. Detection and mitigation require logging and correlating token/grant events, revoking refresh tokens, disabling legacy grants for implicated apps, and enforcing stronger, phishing-resistant authentication controls #ROPC #MicrosoftEntraID

Keypoints

  • ROPC (Resource Owner Password Credentials) is an OAuth 2.0 legacy grant that allows a client to exchange a username and password directly for tokens, bypassing interactive flows.
  • Public clients and default first-party Microsoft apps in a tenant are often pre-approved and may have ROPC enabled, creating an implicit trust attackers can exploit.
  • Attackers with only stolen credentials can call the token endpoint (e.g., login.microsoftonline.com/…/token) using a trusted client_id to obtain access and refresh tokens, completely bypassing MFA.
  • The offline_access scope is especially dangerous because it yields refresh_tokens, enabling persistent, silent access long after initial compromise.
  • Detection is possible by collecting and analyzing identity logs for grant_type=password events, unexpected client_id usage, non-interactive token issuance, and anomalous refresh token grants.
  • Immediate mitigations include revoking suspicious refresh tokens, rotating compromised credentials, disabling legacy ROPC grants for implicated apps, and enforcing phishing-resistant MFA.

MITRE Techniques

  • [T1078 ] Valid Accounts – Attackers use stolen usernames and passwords to authenticate via the legacy ROPC flow and obtain tokens (‘attacker has obtained a valid username and password… they go directly to the token endpoint’).

Indicators of Compromise

  • [Domain/URL ] token endpoint and API endpoints – https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token, https://graph.microsoft.com/.default
  • [Client ID (Application ID) ] pre-approved public client identifiers used to impersonate trusted apps – example: Azure CLI client_id (04b07795…), and other Microsoft first-party app IDs
  • [OAuth Scope ] scopes requested in token requests that indicate high blast radius or persistence – offline_access, https://graph.microsoft.com/.default

Read more: https://www.varonis.com/blog/deep-dive-into-ropc

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint