AI Security AI安全 9h ago Updated 2h ago 更新于 2小时前 46

OAuth Client ID Spoofing Lets Attackers Validate Stolen Microsoft Entra Credentials OAuth客户端ID伪造使攻击者能够验证被盗的Microsoft Entra凭据

Attackers are exploiting a telemetry blind spot in Microsoft Entra ID by spoofing OAuth client IDs to enumerate accounts and validate stolen credentials without triggering standard sign-in alerts. Two distinct threat clusters, UNK_pyreq2323 and UNK_OutFlareAZ, have launched large-scale campaigns targeting millions of accounts across thousands of tenants using AWS and Cloudflare infrastructure respectively. The technique leverages the Resource Owner Password Credentials (ROPC) flow, allowing atta 攻击者利用OAuth Client ID欺骗技术,通过伪造客户端ID在Microsoft Entra ID环境中进行账户枚举和密码验证,且不会触发成功的登录事件。 该攻击绕过了传统的基于应用名称的遥测检测和条件访问策略,因为伪造的ID在日志中不显示应用名称且无法关联到具体应用。 两个主要威胁集群(UNK_pyreq2323和UNK_OutFlareAZ)已大规模采用此技术,分别利用AWS和Cloudflare基础设施针对数百万账户发起攻击。 攻击者通过分析AADSTS错误代码的差异来推断用户是否存在及密码是否正确,实现了隐蔽的大规模凭证验证。

65
Hot 热度
70
Quality 质量
60
Impact 影响力

Analysis 深度分析

TL;DR

  • Attackers are exploiting a telemetry blind spot in Microsoft Entra ID by spoofing OAuth client IDs to enumerate accounts and validate stolen credentials without triggering standard sign-in alerts.
  • Two distinct threat clusters, UNK_pyreq2323 and UNK_OutFlareAZ, have launched large-scale campaigns targeting millions of accounts across thousands of tenants using AWS and Cloudflare infrastructure respectively.
  • The technique leverages the Resource Owner Password Credentials (ROPC) flow, allowing attackers to infer account and password validity through specific AADSTS error codes while bypassing per-application Conditional Access policies.
  • Detection is hindered because spoofed client IDs result in blank application names in logs, preventing correlation-based detections and rate-limiting mechanisms from functioning effectively.

Why It Matters

This vulnerability represents a significant shift in identity-based attack tradecraft, moving beyond simple credential stuffing to sophisticated enumeration that evades existing security telemetry. For AI practitioners and security researchers, it highlights critical gaps in how machine learning models and rule-based systems interpret authentication logs when key contextual fields (like application names) are manipulated or missing. Organizations must urgently reassess their detection logic to account for these evasion techniques, as traditional per-application monitoring is rendered ineffective.

Technical Details

  • Mechanism: Attackers send HTTP POST requests to the Microsoft OAuth 2.0 token endpoint using the ROPC flow, injecting syntactically valid but non-existent OAuth client IDs (UUIDs).
  • Telemetry Evasion: When a spoofed client ID is used, Microsoft Entra ID records the application ID but leaves the application name blank in sign-in logs. This breaks detection rules that rely on tracking surges against specific named applications.
  • Error Code Analysis: The system returns distinct AADSTS error codes based on whether the provided client ID is recognized. Attackers parse these responses to determine if a username exists and if the password is correct, effectively performing credential validation without a successful login event.
  • Campaign Specifics:
    • UNK_pyreq2323: Used over 700,000 spoofed IDs from AWS, targeting 1M+ accounts across 4,000 tenants. It modified trailing digits of known IDs and reused them across up to 12 users.
    • UNK_OutFlareAZ: Started in Dec 2025, using Cloudflare infrastructure to target 2M+ users with 3.7M randomized IDs, enumerating users alphabetically and generating a unique ID per request.
  • Policy Bypass: Since the client IDs do not correspond to registered applications, Conditional Access policies scoped to specific applications fail to trigger, allowing the attacks to proceed unimpeded.

Industry Insight

  • Shift in Detection Strategy: Security teams must move away from relying solely on per-application telemetry. Implementing behavioral analytics that detect anomalies in authentication failure patterns, regardless of the application name field, is essential.
  • Infrastructure Monitoring: Given the use of major cloud providers (AWS, Cloudflare) for these campaigns, integrating IP reputation data and monitoring for high-volume authentication requests originating from known cloud infrastructure ranges can help identify and block these threats early.
  • Policy Hardening: Organizations should review Conditional Access policies to ensure they are not overly reliant on application-specific scoping. Broadening detection scopes to include all authentication attempts, particularly those involving ROPC flows or unusual client ID patterns, will improve visibility into these evasion techniques.

TL;DR

  • 攻击者利用OAuth Client ID欺骗技术,通过伪造客户端ID在Microsoft Entra ID环境中进行账户枚举和密码验证,且不会触发成功的登录事件。
  • 该攻击绕过了传统的基于应用名称的遥测检测和条件访问策略,因为伪造的ID在日志中不显示应用名称且无法关联到具体应用。
  • 两个主要威胁集群(UNK_pyreq2323和UNK_OutFlareAZ)已大规模采用此技术,分别利用AWS和Cloudflare基础设施针对数百万账户发起攻击。
  • 攻击者通过分析AADSTS错误代码的差异来推断用户是否存在及密码是否正确,实现了隐蔽的大规模凭证验证。

为什么值得看

这篇文章揭示了Microsoft Entra ID身份验证遥测中的一个关键盲区,展示了攻击者如何利用协议设计缺陷绕过现有的安全监控机制。对于云安全和身份管理从业者而言,这标志着传统基于应用上下文的检测策略正在失效,亟需调整防御重心以应对这种无应用关联的隐蔽攻击。

技术解析

  • 攻击原理:攻击者向Microsoft OAuth 2.0令牌端点发送HTTP POST请求,使用资源所有者密码凭据(ROPC)流。他们提供语法有效但不对应真实应用的OAuth Client ID(UUID)。
  • 检测规避:当使用伪造的Client ID时,Entra登录日志仅记录应用ID而无应用名称。由于缺乏应用名称,针对特定应用激增的检测规则以及基于应用的条件访问(CA)策略均无法生效。
  • 信息推断:Entra ID根据提供的Client ID是否有效返回不同的AADSTS错误代码。攻击者通过分析这些错误响应,无需成功登录即可推断出有效的用户名和密码组合。
  • 实战案例:UNK_pyreq2323集群修改已知应用ID的后缀并复用,针对近4000个租户;UNK_OutFlareAZ集群为每次请求生成唯一的随机Client ID,利用Cloudflare基础设施扩大攻击范围。

行业启示

  • 重构检测逻辑:安全团队应停止过度依赖“应用名称”作为检测指标,转而关注异常的错误代码模式、IP信誉、请求频率以及非标准ROPC流的特征。
  • 强化身份治理:鉴于条件访问策略可能被绕过,组织需实施更严格的零信任原则,如强制多因素认证(MFA)和持续身份验证风险评分,而非仅依赖应用级别的限制。
  • 监控协议层异常:需要加强对OAuth端点底层遥测数据的分析,识别那些看似合法但来源可疑或行为异常的Client ID序列,以发现潜在的账户枚举活动。

Disclaimer: The above content is generated by AI and is for reference only. 免责声明:以上内容由 AI 生成,仅供参考。

Security 安全