New Technique in Cybersecurity: OAuth Client ID Spoofing Poses Threat to Cloud Environments
In an alarming development for cybersecurity, two distinct groups of malicious actors have begun exploiting a newly identified evasion technique known as OAuth client ID spoofing. This tactic is being employed in various cloud campaigns, enabling attackers to evade traditional detection measures while gaining unauthorized access to sensitive organizational data.
The sophistication of this technique allows users to enumerate accounts and validate stolen credentials within Microsoft Entra ID environments without triggering any successful sign-in events that would typically alert security personnel. By leveraging this gap in telemetry, these cybercriminals can compromise an organization’s cloud services with relative ease.
According to a statement from Proofpoint, a security firm actively monitoring these threats, there exists a significant gap in cloud sign-in telemetry. "Entra ID provides varied error responses based on the validity of the supplied OAuth client ID," noted the firm. "Criminals exploit this discrepancy to methodically infer valid usernames and passwords at scale, thus allowing them to validate lists of stolen credentials without generating a single successful login event."
The exploit hinges on the OAuth client ID, which is a globally unique identifier (GUID) assigned to applications during the process of requesting access to user data. When a user attempts authentication, this identifier is conveyed as "client_id." By employing spoofed client IDs, attackers can conduct account enumeration without the existence of a registered OAuth application, thereby validating both the existence of accounts and the correctness of their corresponding passwords without ever achieving a successful sign-in.
Rachel Rabin, a researcher at Proofpoint, elaborated on the implications of this issue, stating, "The Entra sign-in logs are a fundamental telemetry resource for identifying malicious behavior, including user enumeration, password spraying, and initial access attempts." This highlights the role of sign-in logs in monitoring potentially harmful authentication activities.
Threat clusters such as UNK_CustomCloak have been observed utilizing modified User-Agent strings to orchestrate brute-force campaigns directed at Microsoft Entra ID environments. They exploit a now-obsolete first-party application known as Windows Live Custom Domains to circumvent standard sign-in restrictions and probe passwords across more than 4,000 tenants.
Recent adaptations suggest that cybercriminals are evolving their tactics by employing spoofed OAuth client IDs in HTTP POST requests directed at Microsoft’s OAuth 2.0 token endpoint, utilizing the Resource Owner Password Credentials (ROPC) flow. In this scenario, attackers input a syntactically correct client ID that is not linked to any actual application.
In cases like these, the Entra sign-in logs typically only capture the application ID without any corresponding application name. This omission leads to significant detection challenges, as the error responses included in such requests contain Azure Active Directory Security Token Service (AADSTS) error codes. These codes can provide information about whether a particular account exists and if the corresponding password is valid, all without the necessity of a legitimate application.
Proofpoint emphasizes the subtleties of the threat further, stating, "If a spoofed client ID does not align with the correct UUIDv4 format, Entra does not outright reject the request." This allows attackers to analyze error responses to determine valid usernames and passwords, even when malformed client IDs are used.
The ramifications of this security oversight are significant, as the use of spoofed client IDs means that no application names are recorded in the sign-in logs. Thus, security systems designed to detect surges of sign-in attempts against specific application names may entirely miss this malicious activity.
In late December 2025, Proofpoint identified two large-scale campaigns that independently adopted the OAuth client ID spoofing technique. This indicates a concerning trend, where this tactic is not merely an isolated experiment but rather a crucial component of ongoing attacker tradecraft.
The first campaign, dubbed UNK_pyreq2323, operated from January to March 2026 and utilized over 700,000 spoofed client IDs originating from Amazon Web Services infrastructure. This campaign targeted more than one million accounts across nearly 4,000 tenants, resulting in account lockouts for approximately 28% of the users subjected to these failed login attempts.
The second campaign, identified as UNK_OutFlareAZ, commenced in December 2025 and leveraged Cloudflare’s infrastructure to reach over two million users with a staggering 3.7 million randomized spoofed application IDs. Evidence suggested that both campaigns utilized valid UUIDs to evade detection, creating patterns aligned with precompiled username lists.
These two campaigns differed in their methodologies; for instance, while UNK_OutFlareAZ systematically enumerated users in alphabetical order, UNK_pyreq2323 did not follow any discernible order. They also diverged in their approach to client ID spoofing, with one modifying known application IDs while the other generated unique client IDs for each request.
"By fragmenting authentication attempts across numerous fictitious applications, activity becomes challenging to correlate and evade detection," commented Proofpoint. The firm suggests organizations can mitigate traditional enumeration attacks by implementing Conditional Access policies tied to commonly targeted applications. However, spoofed client IDs evade such protective measures due to their lack of association with specific applications.
While this issue of OAuth client ID spoofing has been particularly pronounced within Microsoft services, experts believe that other identity providers could be vulnerable to similar attacks. Yaniv Miron, director of threat research at Proofpoint, indicated that attackers are continuously adapting and may adopt public research into their strategies. "Spoofing has been a well-known tactic for years," Miron noted, emphasizing the need for vigilance in cybersecurity practices.
The implications of OAuth client ID spoofing are profound, marking a pivotal moment in the ongoing battle against cyber threats. As these tactics evolve, vigilance and adaptability will be paramount for organizations seeking to safeguard their cloud environments against increasingly sophisticated attacks.
