- Threat actors are using OAuth client ID spoofing to silently enumerate accounts and validate credentials in Microsoft Entra ID.
- The technique exploits a telemetry blind spot, as Entra ID returns different error codes for valid vs. invalid client IDs without logging a successful sign-in.
- Two major campaigns, UNK_pyreq2323 and UNK_OutFlareAZ, have weaponized this method, targeting over 2 million accounts across thousands of tenants.
Security researchers at Proofpoint have uncovered a novel evasion technique called OAuth client ID spoofing that allows threat actors to enumerate user accounts and validate stolen credentials in Microsoft Entra ID environments without generating a successful sign-in event. The activity exploits a blind spot in cloud sign-in telemetry, as Entra ID returns different responses depending on whether a supplied OAuth client ID is valid.
“Attackers exploit this to infer valid usernames and correct passwords at scale, effectively checking stolen credential lists without logging a successful login,” Proofpoint stated. The technique involves spoofing the client_id parameter in HTTP POST requests to Microsoft’s OAuth 2.0 token endpoint using the Resource Owner Password Credentials flow.
Consequently, only the application ID is recorded in the sign-in log without a corresponding application name, allowing attackers to evade detections that monitor for surges against specific applications. Proofpoint identified two large campaigns that independently adopted this technique starting in late December 2025.
The first campaign, UNK_pyreq2323, ran from January to March 2026 and used over 700,000 spoofed client IDs from AWS infrastructure to target more than 1 million accounts. The second campaign, UNK_OutFlareAZ, leveraged Cloudflare infrastructure to target over 2 million users with 3.7 million randomized spoofed application IDs.
“By fragmenting authentication attempts across many fictional applications, activity becomes harder to correlate and may evade per-application detections and rate limiting,” Proofpoint noted. The researchers warned that organizations relying on Conditional Access policies scoped to specific applications may find these defenses ineffective against the spoofing technique.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
