M365 Identity OAuth ROPC Grant via Legacy Authentication Client
Identifies a successful login by a user principal through a legacy authenticated client (such as Authenticated SMTP, IMAP, POP, or Exchange ActiveSync) in the Microsoft 365 Unified Audit Log, evidenced by the "BAV2ROPC" user agent. Legacy basic-authentication clients are translated by Entra ID into a Resource Owner Password Credentials (ROPC) grant, a single-factor flow that submits the user's password directly and bypasses interactive multi-factor authentication. This is commonly abused during password spraying and account takeover.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2026/07/02"
3integration = ["o365"]
4maturity = "production"
5updated_date = "2026/07/02"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies a successful login by a user principal through a legacy authenticated client (such as Authenticated SMTP,
11IMAP, POP, or Exchange ActiveSync) in the Microsoft 365 Unified Audit Log, evidenced by the "BAV2ROPC" user agent.
12Legacy basic-authentication clients are translated by Entra ID into a Resource Owner Password Credentials (ROPC) grant,
13a single-factor flow that submits the user's password directly and bypasses interactive multi-factor authentication.
14This is commonly abused during password spraying and account takeover.
15"""
16from = "now-9m"
17index = ["filebeat-*", "logs-o365.audit-*"]
18language = "kuery"
19license = "Elastic License v2"
20name = "M365 Identity OAuth ROPC Grant via Legacy Authentication Client"
21note = """## Triage and analysis
22
23### Investigating M365 Identity OAuth ROPC Grant via Legacy Authentication Client
24
25The Resource Owner Password Credentials (ROPC) flow allows a client to obtain tokens by submitting a user's credentials directly, without interactive sign-in. Legacy authentication clients (Authenticated SMTP, IMAP, POP, Exchange ActiveSync) that use basic authentication are translated by Entra ID into ROPC grants, which are single-factor and bypass interactive MFA. Microsoft 365 records these logins in the Unified Audit Log as `UserLoggedIn` events with the `BAV2ROPC` user agent. Adversaries abuse this flow for password spraying and account takeover against accounts that lack MFA enforcement or fall outside legacy-authentication blocking.
26
27This rule identifies a successful ROPC/legacy-client login for a user principal not seen performing this activity in the last 10 days. Because the Unified Audit Log is a separate pipeline from the Entra ID sign-in diagnostic stream, this rule provides coverage even when non-interactive sign-in logs are not forwarded to the SIEM.
28
29### Possible investigation steps
30- Review `o365.audit.UserId` to identify the account that authenticated and determine whether it is expected to use legacy authentication clients.
31- Review `o365.audit.ApplicationId` and `o365.audit.Target.ID` to identify the targeted resource. `00000002-0000-0ff1-ce00-000000000000` is Office 365 Exchange Online, the typical target of Authenticated SMTP.
32- Confirm the client via `user_agent.original: "BAV2ROPC"`, which indicates a legacy basic-authentication client translated into a ROPC grant.
33- Review `o365.audit.ClientIP` / `source.ip` and geolocation to determine whether the source is expected for this user. Correlate with known-malicious infrastructure or unusual ASNs.
34- Pivot on `o365.audit.UserId` in Entra ID Sign-In Logs (`logs-azure.signinlogs-*`) to corroborate the login, and look for a preceding burst of failed authentications (password spraying) from the same source or against the same account.
35- Review subsequent activity by the account (mailbox access, rule creation, mail forwarding, OAuth consent) for signs of post-compromise actions on objectives.
36
37### False positive analysis
38- Legitimate legacy applications, service accounts, or scripts that still rely on Authenticated SMTP or other basic-authentication clients may trigger this rule. Validate the account, source, and business purpose, and exclude confirmed benign service accounts.
39- Multifunction devices, scan-to-email appliances, and monitoring tools that submit mail via Authenticated SMTP can generate this activity. These are typically stable in source IP and account and can be excluded once verified.
40
41### Response and remediation
42- If the login is confirmed malicious, disable the account, revoke active sessions and refresh tokens, and reset the password.
43- Disable SMTP AUTH and other legacy authentication for the affected mailbox (`Set-CASMailbox -SmtpClientAuthenticationDisabled $true`) and, where feasible, tenant-wide.
44- Enforce a Conditional Access policy that requires MFA and blocks legacy authentication for the affected user and, ideally, all users.
45- Investigate the source IP and any preceding failed-authentication activity to scope a potential password-spray campaign.
46- Review the account's activity after the login (mailbox rules, forwarding, delegate changes, OAuth grants) and remediate any unauthorized changes.
47"""
48references = [
49 "https://www.proofpoint.com/us/blog/threat-insight/attackers-unleash-teamfiltration-account-takeover-campaign",
50 "https://redcanary.com/blog/threat-detection/bav2ropc/",
51 "https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth-ropc",
52 "https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema",
53 "https://www.huntress.com/blog/lshiy-password-spray-attack",
54]
55risk_score = 47
56rule_id = "3d753eb2-68c4-404a-9279-91a3ad490765"
57severity = "medium"
58tags = [
59 "Domain: Cloud",
60 "Domain: Identity",
61 "Data Source: Microsoft 365",
62 "Data Source: Microsoft 365 Audit Logs",
63 "Use Case: Identity and Access Audit",
64 "Tactic: Initial Access",
65 "Tactic: Defense Evasion",
66 "Resources: Investigation Guide",
67]
68timestamp_override = "event.ingested"
69type = "new_terms"
70
71query = '''
72data_stream.dataset: "o365.audit" and
73 event.code: "AzureActiveDirectoryStsLogon" and
74 event.action: "UserLoggedIn" and
75 user_agent.original: "BAV2ROPC" and
76 event.outcome: "success"
77'''
78
79
80[[rule.threat]]
81framework = "MITRE ATT&CK"
82[[rule.threat.technique]]
83id = "T1078"
84name = "Valid Accounts"
85reference = "https://attack.mitre.org/techniques/T1078/"
86[[rule.threat.technique.subtechnique]]
87id = "T1078.004"
88name = "Cloud Accounts"
89reference = "https://attack.mitre.org/techniques/T1078/004/"
90
91
92
93[rule.threat.tactic]
94id = "TA0001"
95name = "Initial Access"
96reference = "https://attack.mitre.org/tactics/TA0001/"
97[[rule.threat]]
98framework = "MITRE ATT&CK"
99[[rule.threat.technique]]
100id = "T1078"
101name = "Valid Accounts"
102reference = "https://attack.mitre.org/techniques/T1078/"
103[[rule.threat.technique.subtechnique]]
104id = "T1078.004"
105name = "Cloud Accounts"
106reference = "https://attack.mitre.org/techniques/T1078/004/"
107
108
109
110[rule.threat.tactic]
111id = "TA0005"
112name = "Defense Evasion"
113reference = "https://attack.mitre.org/tactics/TA0005/"
114
115[rule.new_terms]
116field = "new_terms_fields"
117value = ["o365.audit.UserId"]
118[[rule.new_terms.history_window_start]]
119field = "history_window_start"
120value = "now-7d"
Triage and analysis
Investigating M365 Identity OAuth ROPC Grant via Legacy Authentication Client
The Resource Owner Password Credentials (ROPC) flow allows a client to obtain tokens by submitting a user's credentials directly, without interactive sign-in. Legacy authentication clients (Authenticated SMTP, IMAP, POP, Exchange ActiveSync) that use basic authentication are translated by Entra ID into ROPC grants, which are single-factor and bypass interactive MFA. Microsoft 365 records these logins in the Unified Audit Log as UserLoggedIn events with the BAV2ROPC user agent. Adversaries abuse this flow for password spraying and account takeover against accounts that lack MFA enforcement or fall outside legacy-authentication blocking.
This rule identifies a successful ROPC/legacy-client login for a user principal not seen performing this activity in the last 10 days. Because the Unified Audit Log is a separate pipeline from the Entra ID sign-in diagnostic stream, this rule provides coverage even when non-interactive sign-in logs are not forwarded to the SIEM.
Possible investigation steps
- Review
o365.audit.UserIdto identify the account that authenticated and determine whether it is expected to use legacy authentication clients. - Review
o365.audit.ApplicationIdando365.audit.Target.IDto identify the targeted resource.00000002-0000-0ff1-ce00-000000000000is Office 365 Exchange Online, the typical target of Authenticated SMTP. - Confirm the client via
user_agent.original: "BAV2ROPC", which indicates a legacy basic-authentication client translated into a ROPC grant. - Review
o365.audit.ClientIP/source.ipand geolocation to determine whether the source is expected for this user. Correlate with known-malicious infrastructure or unusual ASNs. - Pivot on
o365.audit.UserIdin Entra ID Sign-In Logs (logs-azure.signinlogs-*) to corroborate the login, and look for a preceding burst of failed authentications (password spraying) from the same source or against the same account. - Review subsequent activity by the account (mailbox access, rule creation, mail forwarding, OAuth consent) for signs of post-compromise actions on objectives.
False positive analysis
- Legitimate legacy applications, service accounts, or scripts that still rely on Authenticated SMTP or other basic-authentication clients may trigger this rule. Validate the account, source, and business purpose, and exclude confirmed benign service accounts.
- Multifunction devices, scan-to-email appliances, and monitoring tools that submit mail via Authenticated SMTP can generate this activity. These are typically stable in source IP and account and can be excluded once verified.
Response and remediation
- If the login is confirmed malicious, disable the account, revoke active sessions and refresh tokens, and reset the password.
- Disable SMTP AUTH and other legacy authentication for the affected mailbox (
Set-CASMailbox -SmtpClientAuthenticationDisabled $true) and, where feasible, tenant-wide. - Enforce a Conditional Access policy that requires MFA and blocks legacy authentication for the affected user and, ideally, all users.
- Investigate the source IP and any preceding failed-authentication activity to scope a potential password-spray campaign.
- Review the account's activity after the login (mailbox rules, forwarding, delegate changes, OAuth grants) and remediate any unauthorized changes.
References
Related rules
- M365 Identity Device Code Grant by an Unusual User (Non-Compliant Device)
- M365 Identity Device Code Grant with Unusual User and ASN
- Entra ID Kali365 Default User-Agent Detected
- M365 Identity Login from Atypical Region
- M365 Identity Login from Impossible Travel Location