Proofpoint
OAuth Client ID Spoofing Threatens Microsoft Entra Security
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
Cybercriminals are increasingly using OAuth client ID spoofing to conduct account enumeration against Microsoft Entra, the identity management service. This method allows attackers to infer username and password validity without triggering alerts or generating successful sign-in events. Proofpoint has reported multiple campaigns utilizing this technique, with one campaign using over 3.7 million spoofed IDs to target more than two million users across nearly 4,000 organizations. The spoofed client IDs create blank entries in Entra's logs, making detection difficult for security teams. Attackers exploit the Resource Owner Password Credentials flow to submit credentials directly, bypassing traditional security measures like conditional access policies. The rise of this technique poses a significant risk to organizations relying on Microsoft Entra for identity management.
Key Points: • OAuth client ID spoofing allows attackers to enumerate accounts without detection. • Over 3.7 million spoofed IDs were used in a recent campaign targeting millions of users. • The technique bypasses traditional security measures, complicating detection efforts.