Rise in Abuse of Spoofed OAuth Application Identifiers Targeting Microsoft Entra ID Accounts
As cyber threats evolve, attackers increasingly exploit spoofed OAuth application identifiers to compromise Microsoft Entra ID accounts, subjecting them to credential testing and fragmenting authentication activities across vast numbers of fictitious applications. This method capitalizes on a specific weakness within the OAuth authentication framework, particularly in how the Entra ID processes the client_id parameter during authentication requests.
In essence, every registered OAuth application receives a unique application identifier that is globally acknowledged. Typically, the sign-in logs for Entra record both the application ID and its corresponding name. However, attackers have discovered that when they input a syntactically valid but unregistered client ID, the logs may record the application ID while leaving the name field empty. This absence of information allows attackers to evade detection systems designed to identify and halt activities like password spraying or account enumeration directed at commonly exploited Microsoft applications, which include Azure AD PowerShell and Exchange Online.
By distributing their authentication attempts across a multitude of fabricated application IDs, attackers can mask their activities. Rather than focusing their malicious actions on a single, recognizable client, they can diverge their requests across a large array of invented identifiers, complicating the task of defensive security teams to pinpoint their activities.
Proofpoint, a cybersecurity company, has simulated this kind of behavior by utilizing the Resource Owner Password Credentials (ROPC) flow. This process entails directly submitting usernames and passwords at Microsoft’s /common/oauth2/token endpoint. The responses returned from these requests can yield significant information regarding the account’s state, even to unauthorized users. For instance, error code AADSTS50034 corresponds to an invalid username, while AADSTS50126 indicates a valid account with an incorrect password.
More troubling, if an attacker sends a legitimate username paired with the correct password alongside an unregistered application ID, the system may return an AADSTS700016 code, indicating that the application identifier is unknown. This response effectively provides validation of a valid username-password combination, yet it does so without triggering a successful sign-in event. Such a discovery is particularly concerning; Entra logs only record attempts involving valid usernames. Thus, an organization investigating a sudden spike in failed authentication attempts may observe data indicative of enumeration while remaining unaware that an attacker has already identified valid credentials.
Proofpoint has categorized the management of OAuth client ID spoofing as an emerging technique increasingly adopted in cloud campaigns. Looking closely, they tracked a campaign designated UNK_pyreq2323, which operated from January through March 2026. This campaign deployed the python-requests/2.32.3 user agent and utilized AWS-hosted infrastructure to target over one million accounts across nearly 4,000 Entra tenants. The attackers in this situation dispersed their requests over more than 700,000 spoofed client IDs, modifying the final digits of an Exchange Online-related identifier.
Most of these fraudulent IDs were used against only one to three accounts—none exceeding 12 attempts—thereby diminishing the efficiency of correlation rules based on recurring application activity. As a consequence, the campaign resulted in account lockouts affecting approximately 28% of targeted users, illustrating that even stealthy enumeration tactics could result in significant operational disruption.
Another operation, identified as UNK_OutFlareAZ, commenced in December 2025, with a more extensive scope. It aimed at over two million users while cycling through approximately 3.7 million spoofed application IDs. This larger campaign primarily originated from Cloudflare infrastructure, employing a forged Microsoft Outlook user agent frequently used in password enumeration tools.
Notably, while UNK_pyreq2323 demonstrated fixed application identifiers, the second initiative utilized a new random UUIDv4 client ID for each authentication attempt, further complicating analytical efforts to link requests based on application identifiers. The user targeting in this campaign appeared both alphabetical and generically reused names—such as dsmith, msmith, and jbrown—across multiple tenants, indicating reliance on precompiled wordlists.
The differences in user agents, infrastructure utilization, client-ID generation, and strategic execution suggest that distinct actors or tools are adopting OAuth client ID spoofing independently. Proofpoint concludes that this practice is becoming increasingly prevalent within cloud-centered credential attacks.
To bolster defenses, organizations are advised to closely analyze Entra sign-in records that lack application names, especially when coupled with a high volume of failed authentication attempts, multiple source IPs, or unusual client IDs. Being vigilant in this regard can help mitigate the rising threat posed by sophisticated OAuth client ID spoofing tactics.

