BTC $71,807
2026 Bull Run Is Building Start trading with 5% OFF all fees
Sign Up Now
BTC $71,807
Bull Run 2026 | 5% Off Fees Open your Binance account today
Sign Up

Attackers exploit Microsoft Entra ID OAuth spoofing blind spot

OAuth client ID spoofing exploits Entra ID blind spot to validate credentials silently.

  • Threat actors are using OAuth client ID spoofing to silently enumerate accounts and validate credentials in Microsoft Entra ID.
  • The technique exploits a telemetry blind spot, as Entra ID returns different error codes for valid vs. invalid client IDs without logging a successful sign-in.
  • Two major campaigns, UNK_pyreq2323 and UNK_OutFlareAZ, have weaponized this method, targeting over 2 million accounts across thousands of tenants.

Security researchers at Proofpoint have uncovered a novel evasion technique called OAuth client ID spoofing that allows threat actors to enumerate user accounts and validate stolen credentials in Microsoft Entra ID environments without generating a successful sign-in event. The activity exploits a blind spot in cloud sign-in telemetry, as Entra ID returns different responses depending on whether a supplied OAuth client ID is valid.

- Advertisement -

“Attackers exploit this to infer valid usernames and correct passwords at scale, effectively checking stolen credential lists without logging a successful login,” Proofpoint stated. The technique involves spoofing the client_id parameter in HTTP POST requests to Microsoft’s OAuth 2.0 token endpoint using the Resource Owner Password Credentials flow.

Consequently, only the application ID is recorded in the sign-in log without a corresponding application name, allowing attackers to evade detections that monitor for surges against specific applications. Proofpoint identified two large campaigns that independently adopted this technique starting in late December 2025.

The first campaign, UNK_pyreq2323, ran from January to March 2026 and used over 700,000 spoofed client IDs from AWS infrastructure to target more than 1 million accounts. The second campaign, UNK_OutFlareAZ, leveraged Cloudflare infrastructure to target over 2 million users with 3.7 million randomized spoofed application IDs.

“By fragmenting authentication attempts across many fictional applications, activity becomes harder to correlate and may evade per-application detections and rate limiting,” Proofpoint noted. The researchers warned that organizations relying on Conditional Access policies scoped to specific applications may find these defenses ineffective against the spoofing technique.

- Advertisement -

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -
Ad
Altseason Is Loading. Don't watch from the sidelines.
SOL $90.51
DOGE $0.0963
LINK $9.02
SUI $1.00
5% off fees when you sign up
Start Trading
Ad
Pay Less on Every Trade. For Life.
$10K/mo volume Save $60/yr
$50K/mo volume Save $300/yr
$100K/mo volume Save $600/yr
5% off all trading fees when you sign up
Claim Your Discount

Latest News

UK HMRC to defer capital gains tax on crypto loans, pools

HM Revenue and Customs (HMRC) will treat certain crypto loan and liquidity pool disposals...

Google Stock Below $350; Citi, UBS Predict Double-Digit Surge

Google stock (NASDAQ: GOOG) fell below $350 on Tuesday, reversing from a yearly high...

HMRC: DeFi deposits now no-gain, no-loss for tax

UK tax authority HMRC will treat deposits into DeFi lending protocols and liquidity pools...

CleanSpark Soars on $6.6B 20-Year Georgia Lease

CleanSpark's new 20-year infrastructure lease at its Sandersville, Georgia campus is expected to generate...

cUSD stabledrop u-turn sparks $23M withdrawals, backlash

Cap Labs slashed its “stabledrop” from $12 million to $4.2 million, redirecting funds to...

Must Read

17 Best Cryptocurrency Wallets

If you are looking for a list with the best cryptocurrency wallets, then you've landed on the right page. Cryptocurrency, as we all know,...
Ad
Altseason Is Loading. These 4 coins are trending right now.
SOL $92.12
DOGE $0.0950
LINK $9.02
SUI $1.02
5% off spot fees when you sign up
Start Trading