Recent investigations have unveiled a sophisticated method employed by at least two threat groups to bypass security in Microsoft Entra environments. By using an evasion technique known as OAuth client ID spoofing, these actors manage to validate stolen credentials without triggering typical security alerts, posing a significant risk to cloud security frameworks.
Understanding OAuth Client ID Spoofing
OAuth client ID spoofing is a novel attack vector that enables unauthorized access to cloud services by exploiting gaps in Microsoft Entra ID’s telemetry systems. The attackers utilize this technique to check the validity of stolen credentials without generating successful sign-in records, which would typically alert cybersecurity teams.
Proofpoint has detailed how attackers manipulate the cloud sign-in process by exploiting differences in error responses, depending on the validity of the OAuth client ID provided. By doing so, they can effectively verify usernames and passwords at scale without being detected.
Mechanics of the Attack
The core of this exploit lies in the OAuth client ID, a unique identifier assigned to applications during authentication requests. Attackers spoof these IDs to conduct account enumeration without registering an official OAuth application, allowing them to infer account and password validity covertly.
Rachel Rabin, a researcher at Proofpoint, noted that Entra sign-in logs are crucial for detecting malicious activities such as user enumeration and password spraying. Attackers have exploited this by using spoofed client IDs in HTTP POST requests to Microsoft’s OAuth 2.0 token endpoint, following the Resource Owner Password Credentials (ROPC) flow.
Implications for Cloud Security
The absence of an application name in sign-in logs when using spoofed client IDs makes it challenging for defenders to correlate and detect suspicious activities. Attackers gain a stealth advantage as traditional detection methods may not flag these activities.
Two major campaigns, UNK_pyreq2323 and UNK_OutFlareAZ, have been identified as using this technique extensively. The former used spoofed IDs from AWS infrastructure, while the latter utilized Cloudflare infrastructure, targeting millions of users and employing different strategies for client ID spoofing.
UNK_pyreq2323 altered known application IDs slightly, while UNK_OutFlareAZ generated unique IDs for each request, complicating detection efforts.
Future Outlook and Mitigation Strategies
The increasing adoption of OAuth client ID spoofing signifies a shift in attacker tactics, emphasizing the need for enhanced detection and response strategies in cloud environments. Organizations are advised to implement Conditional Access policies and monitor for unusual sign-in patterns to mitigate potential breaches.
As attackers continue to refine their methods, staying ahead requires continuous vigilance and adaptation of security measures to address emerging threats effectively.
