Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Hackers Use Fake OAuth IDs to Target Entra ID Users

Hackers Use Fake OAuth IDs to Target Entra ID Users

Posted on July 14, 2026 By CWS

Recent findings by Proofpoint have uncovered a troubling trend of cybercriminals exploiting spoofed OAuth client IDs to compromise Microsoft Entra ID accounts. This method allows attackers to probe for valid credentials while avoiding traditional security measures.

Understanding OAuth Client ID Exploitation

OAuth client IDs are unique identifiers assigned to applications for authentication purposes. During the login process, applications use these identifiers, which are recorded by Microsoft Entra ID in sign-in logs. However, attackers have found a way to exploit this by fabricating client IDs, prompting various error codes that can reveal the validity of entered credentials.

For instance, a nonexistent username triggers the AADSTS50034 error, while an incorrect password with a valid username results in an AADSTS50126 error. A valid username-password pair with a spoofed client ID returns the AADSTS700016 error, indicating an unrecognized application ID. This technique allows hackers to verify credentials without successful login attempts being logged.

Campaign Tactics and Techniques

Proofpoint identified two major campaigns leveraging this spoofing tactic. The first, labeled UNK_pyreq2323, targeted over 111 million accounts across nearly 4,000 Entra ID tenants. This campaign resulted in account lockouts for about 28% of users by using over 700,000 fake client IDs.

The second, larger campaign, known as UNK_OutFlareAZ, began in December 2025, targeting more than 222 million users with 3.7 million spoofed IDs. This campaign primarily employed Cloudflare infrastructure and a falsified Microsoft Outlook user agent, complicating detection efforts by using unique UUIDv4 client IDs for each request.

Security Implications and Recommendations

The distinct methods and tools employed in these campaigns suggest that multiple threat actors are independently adopting OAuth client ID spoofing. Organizations are advised to scrutinize Entra ID sign-in logs for events missing application names or having blank IDs, as these might indicate malicious activity.

Security teams should also be vigilant regarding AADSTS700016 errors, as they could reveal attempts to validate legitimate credentials with fake OAuth IDs rather than simple application configuration issues. By paying close attention to these indicators, defenders can enhance their threat detection capabilities.

In conclusion, as hackers continue to refine their strategies, organizations must proactively review and update their security protocols to protect against these sophisticated attacks. Monitoring for anomalous authentication patterns and understanding the nuances of OAuth exploitation are crucial steps in safeguarding digital identities.

Cyber Security News Tags:AADSTS errors, client ID spoofing, cloud infrastructure, cloud security, cyber threats, Cybersecurity, digital authentication, Hacking, identity theft, Microsoft Entra ID, Microsoft security, OAuth, Proofpoint, security breaches, threat detection

Post navigation

Previous Post: Microsoft Addresses Record 622 Vulnerabilities, Including Two Critical Zero-Days
Next Post: FortiSandbox Vulnerability Exposes VNC Servers

Related Posts

New SHUYAL Attacking 19 Popular Browsers to Steal Login Credentials New SHUYAL Attacking 19 Popular Browsers to Steal Login Credentials Cyber Security News
Navigating APTs – Singapore’s Cautious Response to State-Linked Cyber Attacks Navigating APTs – Singapore’s Cautious Response to State-Linked Cyber Attacks Cyber Security News
Google Chrome 0-Day Vulnerability Actively Exploited in the Wild Google Chrome 0-Day Vulnerability Actively Exploited in the Wild Cyber Security News
Critical GNU InetUtils Vulnerability Allows Unauthenticated Root Access Via “-f root” Critical GNU InetUtils Vulnerability Allows Unauthenticated Root Access Via “-f root” Cyber Security News
10 Best Enterprise Remote Access Software 10 Best Enterprise Remote Access Software Cyber Security News
Critical iTerm2 SSH Flaw Found: Text to Code Execution Critical iTerm2 SSH Flaw Found: Text to Code Execution Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • FortiSandbox Vulnerability Exposes VNC Servers
  • Hackers Use Fake OAuth IDs to Target Entra ID Users
  • Microsoft Addresses Record 622 Vulnerabilities, Including Two Critical Zero-Days
  • Tego AI Exposes Potential Risks in Claude Tag Integration
  • Security Flaw in Claude for Chrome Allows Unauthorized Access

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • FortiSandbox Vulnerability Exposes VNC Servers
  • Hackers Use Fake OAuth IDs to Target Entra ID Users
  • Microsoft Addresses Record 622 Vulnerabilities, Including Two Critical Zero-Days
  • Tego AI Exposes Potential Risks in Claude Tag Integration
  • Security Flaw in Claude for Chrome Allows Unauthorized Access

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark