VYPR
researchPublished Jul 13, 2026· 2 sources

Attackers Spoof OAuth Client IDs to Evade Microsoft Entra ID Logging

Threat actors are exploiting a gap in Microsoft Entra ID's logging by spoofing OAuth client IDs, allowing them to perform account enumeration without generating successful sign-in events.

Cybercriminals targeting Microsoft cloud environments have adopted a sophisticated technique to mask their reconnaissance activities, specifically during account enumeration. By spoofing the OAuth client ID—a unique identifier for applications involved in authentication requests—attackers can bypass standard security monitoring within Microsoft Entra ID. This method allows threat actors to probe for valid user accounts and credentials without leaving behind the typical traces of a successful login, significantly complicating detection efforts for security teams.

The core of this evasion tactic lies in how Microsoft Entra ID logs authentication attempts. When a legitimate application authenticates, its client ID is recorded alongside other details in the sign-in logs. However, when an attacker submits a forged or unregistered client ID, Entra ID's response and logging behavior create an exploitable blind spot. Proofpoint researchers demonstrated this by using a custom PowerShell module, Invoke-ClientIdSpoofEnum, to send POST requests to Microsoft's OAuth 2.0 token endpoint. Their findings revealed that Entra ID's responses vary based on the validity and format of the client ID, providing attackers with subtle clues about the success of their enumeration attempts.

Specifically, the technique exploits the difference in logging when a syntactically valid, but unregistered, client ID is used. In such cases, Entra ID logs the attempt but leaves the 'application name' field blank. This is crucial because many security alerts and detection rules are tuned to monitor for suspicious activity against known, named applications. By presenting a blank application name, the malicious enumeration traffic can slip past these application-specific defenses. Furthermore, if the attacker uses a malformed client ID, both the application ID and name fields remain empty, and the attempt might not even reach the sign-in log if the username is invalid.

This evasion method offers several advantages to attackers. Firstly, it allows for account enumeration and credential validation without generating a single successful sign-in event, which is a primary indicator of compromise. Secondly, it circumvents security measures that rely on monitoring specific applications. Older tools often targeted common first-party applications like Azure AD PowerShell, leading to easily detectable spikes. Spoofing client IDs scatters this activity across thousands of non-existent applications, diluting the signal and evading rate-limiting mechanisms tied to individual apps. Additionally, Conditional Access policies that are scoped to specific applications will not be enforced against requests using spoofed client IDs.

Proofpoint researchers identified at least two distinct campaigns employing this technique. The first, dubbed UNK_pyreq2323, began in January 2026 and targeted over 4,000 tenants, using client IDs derived from the Exchange Online prefix with randomized endings. This campaign affected over a million user accounts. A second, more mature campaign, UNK_OutFlareAZ, started in December 2025 and utilized fully random UUIDv4 generated client IDs for each request, making correlation more difficult. This campaign reached over 2 million users across numerous tenants, employing systematic username enumeration and common generic handles.

The existence of multiple campaigns using this method, despite differing in their implementation details such as hosting infrastructure and client ID generation strategies, suggests that the technique is becoming more widespread. Researchers believe this is likely due to discussions in underground forums and independent experimentation by various threat actor groups. The speed at which such techniques disseminate is alarming; once disclosed, they can become widely known within hours or days across both attacker and defender communities.

While Proofpoint's research focused on Microsoft Entra ID, the underlying issue is not vendor-specific. The researchers suggest that similar vulnerabilities and blind spots may exist in other identity provider platforms. The challenge lies in the fundamental way authentication systems log and process requests, especially those involving third-party applications and OAuth flows. The erosion of the 'successful sign-in event' as definitive proof of legitimate access highlights a broader industry challenge in maintaining robust security telemetry in the face of evolving attacker methodologies.

This technique underscores the need for security teams to move beyond solely relying on successful sign-in events for detection. Monitoring for anomalous authentication patterns, unusual client ID behavior, and the absence of expected log entries, even when no explicit alert is triggered, is becoming increasingly critical. Organizations should review their Entra ID logging configurations and detection rules to ensure they are not overlooking activity masked by spoofed identifiers.

This new research details a novel technique for spoofing OAuth Client IDs within Microsoft Entra ID, which threat actors can leverage to create a stealthy pathway into cloud environments by impersonating legitimate applications. The exploit bypasses standard security checks, potentially granting unauthorized access to sensitive data and systems.

Synthesized by Vypr AI