Back to advisories

OAuth Client ID Spoofing Lets Attackers Validate Stolen Microsoft Entra Credentials

Two threat actor groups are using OAuth client ID spoofing to validate stolen Microsoft Entra credentials without triggering sign-in alerts. Attackers enumerate valid usernames and test passwords at scale while remaining invisible to standard telemetry. Millions of users across thousands of tenants are potentially affected.

CRITICALAdvisoryJul 15, 2026
Action required
Hunt for failed Entra authentication attempts with unusual or spoofed OAuth client IDs. Cross-reference with credential breach lists. Enable advanced sign-in risk detection and review non-interactive authentication patterns for anomalies.
Affected products
MicrosoftMicrosoft Entra IDAzure Active Directory