Not every cloud breach starts with malware or a zero-day. In this incident, attackers discovered an exposed Spring Boot Actuator endpoint, harvested credentials from leaked configuration data, then used the OAuth2 Resource Owner Password Credentials (ROPC) flow to authenticate without MFA.

Trend Micro Blog offers insights, analysis, and updates on cybersecurity threats, trends, and best practices. Covering topics such as malware analysis, threat intelligence, and cybersecurity risk management, Trend Micro Blog provides resources for IT security professionals, helping them stay ahead of emerging threats and protect their organizations from cyber attacks.

Trend Micro

A real-world cloud breach case study where attackers exploited an exposed Spring Boot Actuator /configprops endpoint to discover a SharePoint service account username, then found plaintext Azure AD client secrets in a spreadsheet. Using the OAuth2 Resource Owner Password Credentials (ROPC) flow, they combined both pieces of stolen data to authenticate against Azure AD without triggering MFA, obtaining a Microsoft Graph token that enabled SharePoint data exfiltration. The post details all four attack phases and recommends disabling public Actuator endpoints, eliminating plaintext credential storage, and disabling ROPC in favor of modern authentication flows.

From Misconfigured Spring Boot Actuator to SharePoint Exfiltration: How Stolen Credentials Bypass MFA

Phase 2: Plaintext secrets in a spreadsheet

Phase 3: Authentication abuse – ROPC login