How Hackers Exploit Fake OAuth Client IDs to Bypass Sign-In Logs
Adversaries are exploiting fake OAuth client IDs to evade Microsoft Entra ID sign-in monitoring, creating blind spots in threat detection.
Understanding the Technique
Adversaries conducting account enumeration against Microsoft cloud environments have introduced a method to evade standard telemetry by impersonating OAuth client IDs. These identifiers, which serve as unique application references in authentication requests, are manipulated to obscure malicious activity within Microsoft Entra ID sign-in logs. The technique exploits how the platform records application identifiers, creating a vulnerability that attackers are actively exploiting.
How the Spoofing Works
Entra ID’s sign-in logs are critical for detecting malicious authentication patterns, including user enumeration, password spraying, and initial access attempts. Traditional evasion tactics involve rotating user agents and proxy services to mask activity. Client ID spoofing represents an advanced extension of these methods. By falsifying the client_id parameter, attackers can enumerate user accounts and validate credentials without triggering standard sign-in records.
The method involves sending POST requests to Microsoft’s OAuth 2.0 token endpoint using the Resource Owner Password Credentials flow, which requires a username and password. Proofpoint researchers demonstrated this approach by using a custom PowerShell module, Invoke-ClientIdSpoofEnum, to analyze Entra ID’s responses to various client ID configurations.
Implications for Detection
The system’s reactions provide actionable intelligence: a specific error code indicates an invalid username, another signals a valid username with an incorrect password, while AADSTS700016 appears when both credentials are correct. The absence of a sign-in log entry for successful authentication attempts creates a blind spot for defenders. The application name field remains empty in logs when client IDs are spoofed, allowing malicious activity to bypass detections reliant on application-specific metrics.
This tactic also undermines traditional enumeration tools designed for first-party applications, such as Azure AD PowerShell modules. By distributing requests across thousands of fabricated applications, attackers dilute detection signals, evade rate limits, and bypass conditional access policies tied to specific applications.
Real-World Campaigns
The technique has been in use for years, but the challenge for attackers lies in identifying exploitable fields before defenses adapt. Discussions in underground forums frequently highlight potential spoofable elements, with adversaries rapidly adopting new methods.
Case Study: UNK_pyreq2323
Proofpoint identified two distinct campaigns employing this approach. The first, designated UNK_pyreq2323, operated from AWS infrastructure using the python-requests/2.32.3 user agent. It generated over 700,000 spoofed client IDs by modifying the Exchange Online application prefix with randomized digits. The campaign targeted nearly 4,000 tenants, affecting over a million user accounts and causing account lockouts for 28% of affected users.
Case Study: UNK_OutFlareAZ
A second campaign, UNK_OutFlareAZ, utilized Cloudflare infrastructure and executed two waves of activity peaking in late December 2025 and March 2026. It deployed 3.7 million randomly generated UUIDv4 application IDs per request, demonstrating a more sophisticated approach. The campaign targeted over 2 million users, with enumeration patterns suggesting shared wordlists for generic usernames like dsmith and jbrown.
Broader Industry Implications
Despite differences in infrastructure, client ID generation, and enumeration strategies, both campaigns indicate independent operators adopting the same technique. Researchers note that multiple campaigns using this method have been observed, though attribution to specific threat actors remains unresolved.
The rapid dissemination of spoofing techniques following public disclosures highlights the speed at which adversaries adopt new methods. The issue extends beyond Microsoft Entra ID, reflecting a broader industry challenge. While the research focuses on this specific platform, similar vulnerabilities likely exist across other identity providers, with variations in implementation details.
Recommendations for Security Teams
Security teams should prioritize reviewing sign-in entries with missing application IDs or mismatched application names as potential indicators of client ID spoofing. The AADSTS700016 error code requires particular attention, as it may signify confirmed valid credentials without a corresponding successful sign-in record.
The findings underscore the evolving nature of authentication-based attacks and the need for adaptive detection strategies. Organizations must reassess their monitoring frameworks to account for techniques that bypass traditional logging mechanisms. The reliance on application-specific metrics creates inherent risks that require continuous evaluation of identity provider configurations.
“The rapid dissemination of spoofing techniques following public disclosures highlights the speed at which adversaries adopt new methods.” – Proofpoint Researchers
Conclusion
As attackers refine their methods, defenders must implement layered approaches to detect anomalies in authentication patterns, regardless of standard log entries. The incident highlights the importance of correlating multiple data sources to identify sophisticated threats that exploit gaps in conventional monitoring practices.
