Critical Flaw: OAuth Client ID Spoofing Exposes 2 Million Entra ID Users
Key Takeaways Threat actors are actively leveraging spoofed OAuth client IDs to probe Microsoft Entra ID accounts, bypassing conventional detection mechanisms. This technique exploits how Entra...
Key Takeaways
- Threat actors are actively leveraging spoofed OAuth client IDs to probe Microsoft Entra ID accounts, bypassing conventional detection mechanisms.
- This technique exploits how Entra ID’s error messages differentiate between valid and invalid credentials, even with a fabricated application ID.
- Two major campaigns, UNK_pyreq2323 and UNK_OutFlareAZ, have collectively targeted hundreds of millions of Entra ID users since late 2025.
- The attacks allow adversaries to identify valid username-password combinations without triggering successful logins, making detection difficult.
- Organizations are advised to scrutinize Entra ID sign-in logs for missing application names or specific error codes like AADSTS700016.
Attackers Exploit OAuth Client ID Spoofing to Enumerate Entra ID Users
Cybersecurity researchers at Proofpoint identified a concerning trend: threat actors are increasingly employing spoofed OAuth client IDs to enumerate Microsoft Entra ID accounts. This method allows them to identify valid credentials while effectively evading traditional security detection protocols.
Table Of Content
OAuth client IDs serve as unique identifiers for registered applications. During the authentication process, an application transmits its ID via the client_id parameter. Microsoft Entra ID typically records this information in its sign-in logs, associating the ID with the corresponding application name if it’s a legitimate, registered entity.
However, attackers have discovered that they can submit fabricated client IDs during authentication requests. Crucially, Entra ID’s error messages vary based on the validity of the provided username, password, and the application identifier itself. This subtle difference creates an exploitable vulnerability.
How Spoofing Works to Uncover Valid Credentials
This differential error reporting allows malicious actors to determine if a specific account exists and whether the submitted credentials are correct. Proofpoint demonstrated this technique using Microsoft’s OAuth token endpoint and the Resource Owner Password Credentials (ROPC) flow.
For instance, an attempt with a non-existent username will trigger an AADSTS50034 error. Conversely, a valid username combined with an incorrect password will result in an AADSTS50126 error. The critical insight comes when attackers use a valid username and password alongside an unregistered or spoofed application ID. In this scenario, Entra ID may return the AADSTS700016 error, indicating that the application identifier is not recognized.
This particular response is highly significant for attackers. It confirms the existence of a valid username-password pair without generating a successful sign-in event. As a result, adversaries can pinpoint compromised credentials while security teams only observe what appears to be a series of failed authentication attempts, masking the true nature of the activity.
Undermining Detection Mechanisms
The spoofing technique also complicates existing detection strategies that rely on application names. When a syntactically valid but unregistered client ID is used, Entra ID may log only the application ID, leaving the associated application name field blank. If the client ID is malformed, both the application ID and application name fields might appear empty.
This behavior can effectively blind security tools designed to monitor for unusual authentication volumes against known applications. Such tools may fail to correlate these activities, as the missing or malformed application details prevent proper attribution and threat identification.
Active Campaigns Identified
Proofpoint identified two significant campaigns actively exploiting this vulnerability. The first, dubbed UNK_pyreq2323, took place in January 2026. This campaign targeted over 111 million accounts across nearly 4,000 Entra ID tenants, employing more than 700,000 distinct spoofed client IDs. Approximately 28% of the targeted users experienced account lockouts as a result of this activity.
A second, larger-scale campaign, UNK_OutFlareAZ, commenced in December 2025. This operation targeted over 222 million users and utilized an astonishing 3.7 million unique spoofed client IDs. The activity predominantly originated from Cloudflare infrastructure and employed a forged Microsoft Outlook user agent.
A key difference between the campaigns lies in their ID generation methods. UNK_pyreq2323 modified the trailing digits of an existing Exchange Online application ID, whereas UNK_OutFlareAZ generated a new, random UUIDv4 client ID for each authentication request. This approach by UNK_OutFlareAZ significantly reduced identifier reuse, making correlation and tracking more challenging for defenders. Proofpoint researchers also observed UNK_OutFlareAZ testing common usernames, such as “dsmith,” “msmith,” and “jbrown,” across numerous tenants.
The distinct user agents, infrastructure, and ID-generation techniques employed by these campaigns suggest that multiple threat actors have independently adopted OAuth client ID spoofing as a viable attack vector.
What You Should Do
- Review Entra ID Sign-in Logs: Regularly audit sign-in logs for authentication events that show missing application names or blank application IDs. These anomalies can be indicators of client ID spoofing attempts.
- Investigate AADSTS700016 Errors: Pay close attention to logs showing
AADSTS700016errors. While this error can indicate a legitimate application configuration issue, it can also signify that attackers have supplied valid credentials alongside a fake OAuth application ID. - Implement Conditional Access Policies: Strengthen your Entra ID security posture with Conditional Access policies to restrict access based on device state, location, and other contextual factors.
- Enable Multi-Factor Authentication (MFA): Ensure MFA is enforced for all users, especially those with elevated privileges. MFA significantly reduces the risk of successful account compromise even if credentials are stolen.
- Monitor for Unusual Authentication Patterns: Deploy security tools capable of detecting unusual volumes of authentication attempts, even if they appear as “failed logins” or lack proper application attribution.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.