Recent findings by Proofpoint have uncovered a troubling trend of cybercriminals exploiting spoofed OAuth client IDs to compromise Microsoft Entra ID accounts. This method allows attackers to probe for valid credentials while avoiding traditional security measures.
Understanding OAuth Client ID Exploitation
OAuth client IDs are unique identifiers assigned to applications for authentication purposes. During the login process, applications use these identifiers, which are recorded by Microsoft Entra ID in sign-in logs. However, attackers have found a way to exploit this by fabricating client IDs, prompting various error codes that can reveal the validity of entered credentials.
For instance, a nonexistent username triggers the AADSTS50034 error, while an incorrect password with a valid username results in an AADSTS50126 error. A valid username-password pair with a spoofed client ID returns the AADSTS700016 error, indicating an unrecognized application ID. This technique allows hackers to verify credentials without successful login attempts being logged.
Campaign Tactics and Techniques
Proofpoint identified two major campaigns leveraging this spoofing tactic. The first, labeled UNK_pyreq2323, targeted over 111 million accounts across nearly 4,000 Entra ID tenants. This campaign resulted in account lockouts for about 28% of users by using over 700,000 fake client IDs.
The second, larger campaign, known as UNK_OutFlareAZ, began in December 2025, targeting more than 222 million users with 3.7 million spoofed IDs. This campaign primarily employed Cloudflare infrastructure and a falsified Microsoft Outlook user agent, complicating detection efforts by using unique UUIDv4 client IDs for each request.
Security Implications and Recommendations
The distinct methods and tools employed in these campaigns suggest that multiple threat actors are independently adopting OAuth client ID spoofing. Organizations are advised to scrutinize Entra ID sign-in logs for events missing application names or having blank IDs, as these might indicate malicious activity.
Security teams should also be vigilant regarding AADSTS700016 errors, as they could reveal attempts to validate legitimate credentials with fake OAuth IDs rather than simple application configuration issues. By paying close attention to these indicators, defenders can enhance their threat detection capabilities.
In conclusion, as hackers continue to refine their strategies, organizations must proactively review and update their security protocols to protect against these sophisticated attacks. Monitoring for anomalous authentication patterns and understanding the nuances of OAuth exploitation are crucial steps in safeguarding digital identities.
