OAuth Client ID Spoofing Threatens Microsoft Entra ID Security

OAuth Client ID Spoofing Threatens Microsoft Entra ID Security

First seen 13 Jul 2026, 13:28 UTC ProofpointFeeds2.FeedburnerInfosecurity-Magazinewww.infosecurityeurope.comCybersecuritydive+1 88% similarity 69.5

Article Content

Browse articles
ThreatCluster

Cybercriminals are exploiting a novel technique of OAuth client ID spoofing to enumerate accounts on Microsoft Entra ID without generating successful sign-in events. This method allows attackers to infer the validity of usernames and passwords by sending POST requests to Microsoft's OAuth 2.0 token endpoint using the Resource Owner Password Credentials (ROPC) flow. The technique is stealthy, making it difficult for organizations to detect malicious activity in their sign-in logs. Proofpoint researchers have tracked multiple campaigns using this method, targeting millions of user accounts across thousands of Microsoft Entra tenants. The attackers often spoof common usernames to enhance their enumeration efforts. Organizations are advised to monitor for blank application IDs in sign-in logs as a potential indicator of this attack vector.

Key Points: • Attackers are using OAuth client ID spoofing to bypass detection in Microsoft Entra ID. • This technique allows for account enumeration without successful sign-ins, making detection challenging. • Proofpoint has observed multiple campaigns targeting millions of accounts using this method.

ThreatCluster AI

Timeline

2026-07-13
Proofpoint publishes findings on OAuth client ID spoofing
Proofpoint details how attackers exploit OAuth client ID spoofing to enumerate accounts in Microsoft Entra ID, affecting millions of users.
Proofpoint
2026-07-13
Infosecurity Magazine reports on the spoofing technique
Infosecurity Magazine highlights the stealthy nature of OAuth client ID spoofing and its implications for cloud security.
Infosecurity-Magazine
2026-07-13
HelpNet Security covers the attack method
HelpNet Security discusses how attackers use spoofed OAuth client IDs to evade detection in Microsoft Entra ID logs.
Feeds2.Feedburner

Community

Browse all →