[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$ftbk1nQ47OuBIDPSxgaUX2_Z1iQTILAj51b5gqLQ12Qs":3},{"article":4,"iocs":55},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":34,"category":35,"article_tags":39},"8392e619-ca36-4e60-b774-727f8235fefe","OAuth Client ID Spoofing Lets Attackers Validate Stolen Microsoft Entra Credentials","oauth-client-id-spoofing-lets-attackers-validate-stolen-microsoft-entra-credenti-5019a8","At least two distinct threat actors are weaponizing a novel evasion technique called OAuth client ID spoofing in cloud campaigns, while slipping past telemetry. The activity allows users to enumerate user accounts and validate stolen credentials in Microsoft Entra ID environments, without ever generating a successful sign-in event that would otherwise alert defenders. And bad actors have begun","Two distinct threat actor groups are exploiting a novel OAuth client ID spoofing technique to enumerate user accounts and validate stolen credentials in Microsoft Entra ID environments while evading sign-in telemetry. By providing spoofed OAuth client IDs in authentication requests, attackers can infer valid usernames and passwords at scale without generating successful sign-in events that would alert defenders. The campaigns UNK_pyreq2323 and UNK_OutFlareAZ have targeted thousands of tenants, affecting millions of users since late 2025.","OAuth client ID spoofing lets attackers validate stolen Microsoft Entra credentials without detection.","OAuth Client ID Spoofing Lets Attackers Validate Stolen Microsoft Entra Credentials Ravie LakshmananJul 14, 2026Cloud Security \u002F Identity Security At least two distinct threat actors are weaponizing a novel evasion technique called OAuth client ID spoofing in cloud campaigns, while slipping past telemetry. The activity allows users to enumerate user accounts and validate stolen credentials in Microsoft Entra ID environments, without ever generating a successful sign-in event that would otherwise alert defenders. And bad actors have begun to exploit this gap to obtain unauthorized access to an organization's cloud services. \"A blind spot in cloud sign-in telemetry: Entra ID returns different error responses depending on whether a supplied OAuth client ID is valid,\" Proofpoint said in a statement. \"Attackers exploit this to infer valid usernames and correct passwords at scale, effectively checking stolen credential lists without logging a successful login.\" In other words, the attacks leverage the OAuth client ID, a globally unique identifier (GUID) assigned to applications when requesting access to user data, and is passed as \"client_id\" in authentication requests. By providing spoofed client IDs, it enables account enumeration without a registered OAuth application and permits attackers to infer both password and account validity without generating a successful sign-in event. \"The Entra sign‑in logs are a primary telemetry source for identifying malicious authentication activity, including user enumeration, password spraying, and initial access attempts,\" Proofpoint researcher Rachel Rabin said. Threat clusters like UNK_CustomCloak have been observed spoofing User-Agent strings to orchestrate brute-force campaigns targeting Microsoft Entra ID environments by exploiting a legacy, discontinued first-party application called Windows Live Custom Domains to bypass standard sign-in restrictions and probe user passwords across over 4,000 tenants. But the latest efforts mark an evolution of this tradecraft by spoofing the OAuth client IDs via HTTP POST requests to Microsoft's OAuth 2.0 token endpoint using the Resource Owner Password Credentials (ROPC) flow. Specifically, this involves supplying a syntactically valid client ID but one that does not correspond to a real application. In such scenarios, only the application ID is recorded in the Entra sign-in log without a corresponding application name. The response, which contains an Azure Active Directory Security Token Service (AADSTS) error code, can then be used to infer whether the account exists and whether the password is correct without a registered application. \"If the spoofed client ID is not a proper UUIDv4, Entra does not reject the request outright,\" Proofpoint explained. \"Attackers can therefore analyze this error response to identify valid accounts and passwords, despite using malformed client IDs.\" \"When a spoofed client ID is used, no corresponding application name is recorded in the sign-in log. This means that detections that look for surges against a specific application name may miss this activity entirely, as the field is blank.\" Armed with this information, attackers could identify accounts that could be exploited for stealthy access, at the same time making it challenging for defenders to identify suspicious activity. Proofpoint said it has identified two large campaigns that have independently adopted the technique towards the end of December 2025, indicating the approach is being increasingly incorporated into attacker tradecraft as opposed to being an isolated incident: UNK_pyreq2323 (from January to March 2026), which used more than 700,000 spoofed client IDs from Amazon Web Services (AWS) infrastructure to target more than 1 million accounts across nearly 4,000 tenants, causing lockouts for roughly 28% of targeted users due to failed attempts. UNK_OutFlareAZ (starting Dec 2025), which leveraged Cloudflare infrastructure to target over 2 million users with 3.7 million randomized spoofed application IDs. Both the campaigns have been observed using valid UUIDs rather than malformed identifiers and demonstrate patterns that align with precompiled username wordlists. That said, while UNK_OutFlareAZ enumerated users alphabetically, UNK_pyreq2323 did not. Another aspect in which they differed was in how the client IDs were spoofed. UNK_pyreq2323 is said to have modified the trailing digits of a known application ID, and then reused spoofed IDs across up to 12 users. In contrast, UNK_OutFlareAZ generated a unique client ID per request. \"By fragmenting authentication attempts across many fictional applications, activity becomes harder to correlate and may evade per-application detections and rate limiting,\" Proofpoint said. \"Organizations may attempt to mitigate traditional enumeration attacks by applying Conditional Access policies scoped to applications commonly targeted for enumeration. Spoofed client IDs won't trigger CA policies that are scoped to a specific application.\" Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  Authentication, Brute force, Cloud security, Identity Security, Microsoft, OAuth Security, User Enumeration ⚡ Top Stories This Week 16-Year-Old Linux KVM Flaw Lets Guest VMs Escape to Host on Intel and AMD x86 Systems BeyondTrust Patches Critical Auth Bypass Flaws in Remote Support and PRA Court Filing Reveals Windows Device ID Helped FBI Trace Alleged Scattered Spider Hacker Rogue Agent Flaw Could Have Let Attackers Hijack Google Dialogflow CX Chatbots RedWing MaaS Packages Android Bank Fraud as a Telegram Rental Service 15-Year-Old GhostLock Flaw Enables Root and Container Escape on Most Linux Distros GitHub Copilot Refuses Harmful Requests in Chat, Then Writes Them in Code New HalluSquatting Attack Could Trick AI Coding Assistants Into Installing Botnet Malware GhostApproval Symlink Flaws Could Let Malicious Repos Run Code in AI Coding Agents Top AI Agents Built to Catch Malicious Code Can Be Tricked Into Running It Meta's New AI Image Tool Lets Others Use Your Public Instagram Photos in AI Images ThreatsDay: Cloud Bucket Hijacking, Windows LPE Chain, Global Fraud Bust + 17 More Stories Dormant GitHub Accounts Help Attackers Blend In While Mapping Corporate Orgs Attackers Exploit 'Ill Bloom' Vulnerability to Drain Over $5 Million From Cryptocurrency Wallets Unpatched XRING Flaw in XQUIC Lets Remote Clients Crash HTTP\u002F3 Servers Researcher Details WhatsApp-to-Host Attack Chain Using Three OpenClaw Flaws New TrojPix Attack Leaks Data From Air-Gapped Systems via Video Cable Emissions Unpatched Flaws Disclosed in Filesystem Bundled Into Millions of Embedded Devices New \"Bad Epoll\" Linux Kernel Flaw Lets Unprivileged Users Gain Root, Hits Android Google Disrupts NetNut Residential Proxy Network Spanning 2 Million Home Devices European Parliament Member Investigating Spyware Was Hacked With Pegasus ⭐ Featured Resources What 200+ Security Teams Reveal About Using IP Intelligence in 2026 Get Hands-On SANS Training for Today’s Cyber Defense and Offensive Security Challenges See What’s Really Exposed Across Your IT, OT, IoT, Cloud, and Mobile Assets Get Gartner’s Guide to AI Agent Supervision and Runtime Controls","https:\u002F\u002Fthehackernews.com\u002F2026\u002F07\u002Foauth-client-id-spoofing-lets-attackers.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEjmB1bLC9cna7xlnvFdK0hUnsi8jeo6E7jMh20nj4XTvsF9ogpjbnlPCxx9QYQ1O2aS7JiSDQi4swIRNG6-Xjg2TGR4bn4Zn-KBkjsLTYcKUrXOD-rlGu4XYsvRx06eRqrT4duW0xwklKeYjZvRV1VSarJBKldBzN4DNhkWudVCGRdKPi9uVGrqEwL66mz5\u002Fs1600\u002FOAuth-ClientID.jpg","2026-07-14T11:21:35+00:00","2026-07-14T14:00:22.120699+00:00",9,[18,21,24,26,29,32],{"name":19,"type":20},"Microsoft","vendor",{"name":22,"type":23},"Microsoft Entra ID","product",{"name":25,"type":23},"Azure Active Directory",{"name":27,"type":28},"OAuth 2.0","technology",{"name":30,"type":31},"UNK_CustomCloak","threat_actor",{"name":33,"type":31},"UNK_pyreq2323","2c8f44d4-b56e-47cf-9677-04f22c9ee78d",{"id":34,"icon":36,"name":37,"slug":38},null,"Identity & Access","identity-access",[40,45,50],{"category":41},{"id":42,"icon":36,"name":43,"slug":44},"80544778-fabb-4dcd-aa35-17492e5dcf4f","Vulnerabilities","vulnerabilities",{"category":46},{"id":47,"icon":36,"name":48,"slug":49},"c70f3a41-2f0c-4608-870d-b8cbcd8be076","Cloud Security","cloud-security",{"category":51},{"id":52,"icon":36,"name":53,"slug":54},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[56,59,61,64,68],{"type":57,"value":30,"context":58},"malware","Threat cluster spoofing User-Agent strings and exploiting legacy Windows Live Custom Domains application for Microsoft Entra ID brute-force campaigns",{"type":57,"value":33,"context":60},"Campaign from January to March 2026 using 700,000+ spoofed client IDs from AWS infrastructure targeting 1M+ accounts across 4,000 tenants",{"type":57,"value":62,"context":63},"UNK_OutFlareAZ","Campaign starting December 2025 leveraging Cloudflare infrastructure to target 2M+ users with OAuth client ID spoofing",{"type":65,"value":66,"context":67},"mitre_attack","T1110.003","Password spraying attack technique used by threat actors",{"type":65,"value":69,"context":70},"T1087","Account enumeration via OAuth client ID spoofing to infer valid usernames"]