OAuth Client ID Spoofing Targets Millions of Microsoft Entra Accounts
Researchers uncover a widespread cybersecurity threat exploiting OAuth client ID spoofing to compromise Microsoft Entra accounts.
Introduction
Researchers have uncovered a widespread cybersecurity threat involving the exploitation of OAuth client ID spoofing to target Microsoft Entra accounts. Attackers leverage this method to validate user credentials and bypass standard authentication safeguards at scale. The technique involves manipulating OAuth client identifiers to probe account legitimacy and test login attempts without triggering conventional detection mechanisms.
Technical Indicators
The campaigns, analyzed by Proofpoint, demonstrate a sophisticated approach to cloud account enumeration. By spoofing client IDs, threat actors can determine whether a username exists, identify incorrect passwords, and in some cases, confirm valid username-password combinations without completing a full authentication process. This method exploits gaps in how Microsoft Entra handles sign-in requests, allowing adversaries to gather intelligence without leaving clear traces in standard logs.
Error Codes and Detection Challenges
Technical indicators reveal that responses to spoofed requests provide specific error codes. For instance, a valid username with an incorrect password generates the AADSTS50126 error, while an invalid username triggers AADSTS50034. However, attempts against non-existent accounts do not appear in Entra sign-in logs, complicating detection efforts. When valid credentials are submitted alongside a spoofed client ID, the system may still return error messages, but the attack remains undetected by traditional application-based monitoring tools.
Campaigns
UNK_pyreq2323
The first campaign, designated UNK_pyreq2323, began in January 2026 and targeted over one million accounts across nearly 4,000 Microsoft Entra tenants. The operation utilized more than 700,000 spoofed client IDs, sourced from Amazon Web Services infrastructure with a python-requests/2.32.3 user agent. The high volume of failed authentication attempts led to the temporary lockout of approximately 28% of targeted accounts. Attackers modified the final six digits of a known Exchange Online application ID to distribute requests, ensuring each spoofed identifier was used against a limited number of accounts.
UNK_OutFlareAZ
A separate campaign, labeled UNK_OutFlareAZ, emerged in December 2025 and targeted over two million users. This operation generated around 3.7 million spoofed application IDs via Cloudflare infrastructure. Each request featured a unique UUIDv4 client ID, a more advanced approach than the modified Exchange Online identifiers used in the earlier campaign. The attackers employed an Outlook-style user agent and systematically tested usernames in alphabetical order, contrasting with the non-alphabetical sequence observed in UNK_pyreq2323.
Conclusion and Recommendations
Despite differing execution methods, both campaigns demonstrated the same core technique, indicating independent adoption by multiple threat actors. The campaigns highlight the evolving tactics of cybercriminals in exploiting cloud authentication frameworks. Proofpoint advises organizations to scrutinize Microsoft Entra sign-in records for anomalies such as missing application names, unexpected application IDs, or incomplete application metadata. These indicators can signal the presence of spoofed client ID activity, even when traditional detection methods fail to flag the threat.
The findings underscore the need for enhanced monitoring of OAuth-related traffic and the implementation of adaptive security measures to counteract credential enumeration techniques. As threat actors continue to refine their methods, enterprises must remain vigilant in addressing vulnerabilities within cloud authentication protocols.
Conclusion
The evolving tactics of cybercriminals emphasize the importance of robust security strategies. Organizations must prioritize continuous monitoring, update authentication protocols, and stay informed about emerging threats to protect their cloud infrastructure effectively.
