[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"focus:oauth-client-id-spoofing-lets-attackers-validate-stolen-microsoft-entra-credenti-mrlfurli":3},{"item":4},{"id":5,"title":6,"slug":7,"summary":8,"severity":9,"category":10,"cve_ids":11,"affected_products":12,"action_required":16,"article_ids":17,"ioc_summary":19,"source_urls":20,"status":22,"expires_at":23,"created_at":24,"updated_at":25,"articles":26},"4621f9e8-299e-4d98-bcba-169d019b3394","OAuth Client ID Spoofing Lets Attackers Validate Stolen Microsoft Entra Credentials","oauth-client-id-spoofing-lets-attackers-validate-stolen-microsoft-entra-credenti-mrlfurli","Two threat actor groups are using OAuth client ID spoofing to validate stolen Microsoft Entra credentials without triggering sign-in alerts. Attackers enumerate valid usernames and test passwords at scale while remaining invisible to standard telemetry. Millions of users across thousands of tenants are potentially affected.","critical","advisory",[],[13,14,15],"Microsoft","Microsoft Entra ID","Azure Active Directory","Hunt for failed Entra authentication attempts with unusual or spoofed OAuth client IDs. Cross-reference with credential breach lists. Enable advanced sign-in risk detection and review non-interactive authentication patterns for anomalies.",[18],"8392e619-ca36-4e60-b774-727f8235fefe",null,[21],"https:\u002F\u002Fthehackernews.com\u002F2026\u002F07\u002Foauth-client-id-spoofing-lets-attackers.html","active","2026-07-17T02:05:49.478+00:00","2026-07-15T02:05:52.631799+00:00","2026-07-15T02:10:04.498675+00:00",[27],{"id":18,"title":6,"url":21}]