Proofpoint
OAuth Client ID Spoofing Threatens Microsoft Entra ID Security
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
Cybercriminals are exploiting a novel technique of OAuth client ID spoofing to enumerate accounts on Microsoft Entra ID without generating successful sign-in events. This method allows attackers to infer the validity of usernames and passwords by sending POST requests to Microsoft's OAuth 2.0 token endpoint using the Resource Owner Password Credentials (ROPC) flow. The technique is stealthy, making it difficult for organizations to detect malicious activity in their sign-in logs. Proofpoint researchers have tracked multiple campaigns using this method, targeting millions of user accounts across thousands of Microsoft Entra tenants. The attackers often spoof common usernames to enhance their enumeration efforts. Organizations are advised to monitor for blank application IDs in sign-in logs as a potential indicator of this attack vector.
Key Points: • Attackers are using OAuth client ID spoofing to bypass detection in Microsoft Entra ID. • This technique allows for account enumeration without successful sign-ins, making detection challenging. • Proofpoint has observed multiple campaigns targeting millions of accounts using this method.