M365 Identity OAuth ROPC Grant via Legacy Authentication Client

Last updated 7 days ago on 2026-07-02
Created 7 days ago on 2026-07-02

About

Identifies a successful login by a user principal through a legacy authenticated client (such as Authenticated SMTP, IMAP, POP, or Exchange ActiveSync) in the Microsoft 365 Unified Audit Log, evidenced by the "BAV2ROPC" user agent. Legacy basic-authentication clients are translated by Entra ID into a Resource Owner Password Credentials (ROPC) grant, a single-factor flow that submits the user's password directly and bypasses interactive multi-factor authentication. This is commonly abused during password spraying and account takeover.
Tags
Domain: CloudDomain: IdentityData Source: Microsoft 365Data Source: Microsoft 365 Audit LogsUse Case: Identity and Access AuditTactic: Initial AccessTactic: Defense EvasionLanguage: kuery
Severity
medium
Risk Score
47
MITRE ATT&CK™

Initial Access (TA0001)(external, opens in a new tab or window)

Defense Evasion (TA0005)(external, opens in a new tab or window)

License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
New Terms Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
filebeat-*logs-o365.audit-*
Related Integrations

o365(external, opens in a new tab or window)

Query
text code block:
data_stream.dataset: "o365.audit" and event.code: "AzureActiveDirectoryStsLogon" and event.action: "UserLoggedIn" and user_agent.original: "BAV2ROPC" and event.outcome: "success"

Install detection rules in Elastic Security

Detect M365 Identity OAuth ROPC Grant via Legacy Authentication Client in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).