Ethical Hacking News
A novel attack vector known as OAuth client ID spoofing has been exposed by Microsoft Entra credentials, allowing threat actors to enumerate user accounts and validate stolen credentials without generating a successful sign-in event. This technique relies on exploiting a blind spot in cloud sign-in telemetry and can be used to identify valid usernames and correct passwords at scale.
With the increasing adoption of OAuth client ID spoofing by threat actors, organizations must take immediate action to secure their identity providers and mitigate this vulnerability before it's too late.
OAuth client ID spoofing is a novel attack vector that allows attackers to enumerate user accounts and validate stolen credentials in Microsoft Entra ID environments. The attack relies on exploiting a blind spot in cloud sign-in telemetry, where different error responses are returned depending on the validity of the supplied OAuth client ID. Attackers can use spoofed client IDs to enumerate accounts without a registered OAuth application and infer password and account validity without generating a successful sign-in event. The threat actors are observed using HTTP POST requests to Microsoft's OAuth 2.0 token endpoint using the Resource Owner Password Credentials (ROPC) flow to spoof client IDs. The attack can be challenging for defenders to detect, as it involves analyzing error responses and may evade per-application detections and rate limiting.
In a recent breakthrough, cybersecurity experts have exposed a novel attack vector known as OAuth client ID spoofing, which has been found to be exploited by at least two distinct threat actors in cloud campaigns. This novel evasion technique allows users to enumerate user accounts and validate stolen credentials in Microsoft Entra ID environments without generating a successful sign-in event that would otherwise alert defenders.
According to Proofpoint, the attack relies on exploiting a blind spot in cloud sign-in telemetry, where different error responses are returned depending on whether a supplied OAuth client ID is valid. Attackers exploit this gap to infer valid usernames and correct passwords at scale, effectively checking stolen credential lists without logging a successful login. By providing spoofed client IDs, it enables account enumeration without a registered OAuth application and permits attackers to infer both password and account validity without generating a successful sign-in event.
The attack leverages the OAuth client ID, a globally unique identifier assigned to applications when requesting access to user data, and is passed as "client_id" in authentication requests. By providing spoofed client IDs, it enables attackers to enumerate accounts without a registered OAuth application and allows them to infer both password and account validity without generating a successful sign-in event.
The threat actors are observed spoofing User-Agent strings to orchestrate brute-force campaigns targeting Microsoft Entra ID environments by exploiting a legacy, discontinued first-party application called Windows Live Custom Domains. However, the latest efforts mark an evolution of this tradecraft by spoofing the OAuth client IDs via HTTP POST requests to Microsoft's OAuth 2.0 token endpoint using the Resource Owner Password Credentials (ROPC) flow.
Specifically, this involves supplying a syntactically valid client ID but one that does not correspond to a real application. In such scenarios, only the application ID is recorded in the Entra sign-in log without a corresponding application name. The response, which contains an Azure Active Directory Security Token Service (AADSTS) error code, can then be used to infer whether the account exists and whether the password is correct without a registered application.
If the spoofed client ID is not a proper UUIDv4, Entra does not reject the request outright. Attackers can therefore analyze this error response to identify valid accounts and passwords, despite using malformed client IDs. When a spoofed client ID is used, no corresponding application name is recorded in the sign-in log. This means that detections that look for surges against a specific application name may miss this activity entirely, as the field is blank.
Armed with this information, attackers could identify accounts that could be exploited for stealthy access, at the same time making it challenging for defenders to identify suspicious activity. Proofpoint has identified two large campaigns that have independently adopted the technique towards the end of December 2025, indicating the approach is being increasingly incorporated into attacker tradecraft as opposed to being an isolated incident.
The first campaign, UNK_pyreq2323, used more than 700,000 spoofed client IDs from Amazon Web Services (AWS) infrastructure to target more than 1 million accounts across nearly 4,000 tenants. This caused lockouts for roughly 28% of targeted users due to failed attempts. The second campaign, UNK_OutFlareAZ, leveraged Cloudflare infrastructure to target over 2 million users with 3.7 million randomized spoofed application IDs.
Both campaigns have been observed using valid UUIDs rather than malformed identifiers and demonstrate patterns that align with precompiled username wordlists. However, while UNK_OutFlareAZ enumerated users alphabetically, UNK_pyreq2323 did not. Another aspect in which they differed was in how the client IDs were spoofed.
UNK_pyreq2323 is said to have modified the trailing digits of a known application ID, and then reused spoofed IDs across up to 12 users. In contrast, UNK_OutFlareAZ generated a unique client ID per request. By fragmenting authentication attempts across many fictional applications, activity becomes harder to correlate and may evade per-application detections and rate limiting.
Organizations may attempt to mitigate traditional enumeration attacks by applying Conditional Access policies scoped to applications commonly targeted for enumeration. However, spoofed client IDs will not trigger CA policies that are scoped to a specific application. Proofpoint's director of threat research, Yaniv Miron, stated that "we do believe that other identity providers are possibly exposed to such issues." Spoofing in general has been a well-known method for years; adversaries will attempt to spoof anything that they can (different fields usually), including client ID.
Adversaries are constantly monitoring threat researchers' blogs and publications, so we believe that they are adopting public research into their attacks. The problem of OAuth client ID spoofing is specific to Microsoft, but it has significant implications for organizations using identity providers with similar security vulnerabilities.
Related Information:
https://www.ethicalhackingnews.com/articles/OAuth-Client-ID-Spoofing-A-Novel-Attack-Vector-Exposed-by-Microsoft-Entra-Credentials-ehn.shtml
https://thehackernews.com/2026/07/oauth-client-id-spoofing-lets-attackers.html
Published: Wed Jul 15 03:54:25 2026 by llama3.2 3B Q4_K_M