Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Fortinet Patches Critical, High Vulnerabilities in FortiOS, FortiProxy
July 14, 2026
Microsoft Patch Tuesday fixes 570 flaws including 3 zero-days
July 14, 2026
Critical Flaw: OAuth Client ID Spoofing Exposes 2 Million Entra ID Users
July 14, 2026
Home/CyberSecurity News/Critical Flaw: OAuth Client ID Spoofing Exposes 2 Million Entra ID Users
CyberSecurity News

Critical Flaw: OAuth Client ID Spoofing Exposes 2 Million Entra ID Users

Key Takeaways Threat actors are actively leveraging spoofed OAuth client IDs to probe Microsoft Entra ID accounts, bypassing conventional detection mechanisms. This technique exploits how Entra...

Jennifer sherman
Jennifer sherman
July 14, 2026 4 Min Read
3 0

Key Takeaways

  • Threat actors are actively leveraging spoofed OAuth client IDs to probe Microsoft Entra ID accounts, bypassing conventional detection mechanisms.
  • This technique exploits how Entra ID’s error messages differentiate between valid and invalid credentials, even with a fabricated application ID.
  • Two major campaigns, UNK_pyreq2323 and UNK_OutFlareAZ, have collectively targeted hundreds of millions of Entra ID users since late 2025.
  • The attacks allow adversaries to identify valid username-password combinations without triggering successful logins, making detection difficult.
  • Organizations are advised to scrutinize Entra ID sign-in logs for missing application names or specific error codes like AADSTS700016.

Attackers Exploit OAuth Client ID Spoofing to Enumerate Entra ID Users

Cybersecurity researchers at Proofpoint identified a concerning trend: threat actors are increasingly employing spoofed OAuth client IDs to enumerate Microsoft Entra ID accounts. This method allows them to identify valid credentials while effectively evading traditional security detection protocols.

Table Of Content

  • Key Takeaways
  • Attackers Exploit OAuth Client ID Spoofing to Enumerate Entra ID Users
  • How Spoofing Works to Uncover Valid Credentials
  • Undermining Detection Mechanisms
  • Active Campaigns Identified
  • What You Should Do

OAuth client IDs serve as unique identifiers for registered applications. During the authentication process, an application transmits its ID via the client_id parameter. Microsoft Entra ID typically records this information in its sign-in logs, associating the ID with the corresponding application name if it’s a legitimate, registered entity.

However, attackers have discovered that they can submit fabricated client IDs during authentication requests. Crucially, Entra ID’s error messages vary based on the validity of the provided username, password, and the application identifier itself. This subtle difference creates an exploitable vulnerability.

How Spoofing Works to Uncover Valid Credentials

This differential error reporting allows malicious actors to determine if a specific account exists and whether the submitted credentials are correct. Proofpoint demonstrated this technique using Microsoft’s OAuth token endpoint and the Resource Owner Password Credentials (ROPC) flow.

For instance, an attempt with a non-existent username will trigger an AADSTS50034 error. Conversely, a valid username combined with an incorrect password will result in an AADSTS50126 error. The critical insight comes when attackers use a valid username and password alongside an unregistered or spoofed application ID. In this scenario, Entra ID may return the AADSTS700016 error, indicating that the application identifier is not recognized.

This particular response is highly significant for attackers. It confirms the existence of a valid username-password pair without generating a successful sign-in event. As a result, adversaries can pinpoint compromised credentials while security teams only observe what appears to be a series of failed authentication attempts, masking the true nature of the activity.

Undermining Detection Mechanisms

The spoofing technique also complicates existing detection strategies that rely on application names. When a syntactically valid but unregistered client ID is used, Entra ID may log only the application ID, leaving the associated application name field blank. If the client ID is malformed, both the application ID and application name fields might appear empty.

This behavior can effectively blind security tools designed to monitor for unusual authentication volumes against known applications. Such tools may fail to correlate these activities, as the missing or malformed application details prevent proper attribution and threat identification.

Active Campaigns Identified

Proofpoint identified two significant campaigns actively exploiting this vulnerability. The first, dubbed UNK_pyreq2323, took place in January 2026. This campaign targeted over 111 million accounts across nearly 4,000 Entra ID tenants, employing more than 700,000 distinct spoofed client IDs. Approximately 28% of the targeted users experienced account lockouts as a result of this activity.

A second, larger-scale campaign, UNK_OutFlareAZ, commenced in December 2025. This operation targeted over 222 million users and utilized an astonishing 3.7 million unique spoofed client IDs. The activity predominantly originated from Cloudflare infrastructure and employed a forged Microsoft Outlook user agent.

A key difference between the campaigns lies in their ID generation methods. UNK_pyreq2323 modified the trailing digits of an existing Exchange Online application ID, whereas UNK_OutFlareAZ generated a new, random UUIDv4 client ID for each authentication request. This approach by UNK_OutFlareAZ significantly reduced identifier reuse, making correlation and tracking more challenging for defenders. Proofpoint researchers also observed UNK_OutFlareAZ testing common usernames, such as “dsmith,” “msmith,” and “jbrown,” across numerous tenants.

The distinct user agents, infrastructure, and ID-generation techniques employed by these campaigns suggest that multiple threat actors have independently adopted OAuth client ID spoofing as a viable attack vector.

What You Should Do

  • Review Entra ID Sign-in Logs: Regularly audit sign-in logs for authentication events that show missing application names or blank application IDs. These anomalies can be indicators of client ID spoofing attempts.
  • Investigate AADSTS700016 Errors: Pay close attention to logs showing AADSTS700016 errors. While this error can indicate a legitimate application configuration issue, it can also signify that attackers have supplied valid credentials alongside a fake OAuth application ID.
  • Implement Conditional Access Policies: Strengthen your Entra ID security posture with Conditional Access policies to restrict access based on device state, location, and other contextual factors.
  • Enable Multi-Factor Authentication (MFA): Ensure MFA is enforced for all users, especially those with elevated privileges. MFA significantly reduces the risk of successful account compromise even if credentials are stolen.
  • Monitor for Unusual Authentication Patterns: Deploy security tools capable of detecting unusual volumes of authentication attempts, even if they appear as “failed logins” or lack proper application attribution.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitSecurityThreat

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

Critical Claude for Chrome Flaw Exposes Gmail, Docs, Calendar Data

Next Post

Microsoft Patch Tuesday fixes 570 flaws including 3 zero-days

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical FortiSandbox CVE-2023-34981 Exposes VNC Server to Attackers
July 14, 2026
SOC Efficiency: Cut Alert Overload and MTTR by 21 Minutes Per Case
July 14, 2026
Miasma Malware Creates Backdoors in npm Packages, Targets Dev Machines
July 14, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us