OAuth Client ID Spoofing Lets Attackers Validate Stolen Microsoft Entra Credentials
Attackers are exploiting a telemetry blind spot in Microsoft Entra ID by spoofing OAuth client IDs to enumerate accounts and validate stolen credentials without triggering standard sign-in alerts. Two distinct threat clusters, UNK_pyreq2323 and UNK_OutFlareAZ, have launched large-scale campaigns targeting millions of accounts across thousands of tenants using AWS and Cloudflare infrastructure respectively. The technique leverages the Resource Owner Password Credentials (ROPC) flow, allowing atta
Analysis
TL;DR
- Attackers are exploiting a telemetry blind spot in Microsoft Entra ID by spoofing OAuth client IDs to enumerate accounts and validate stolen credentials without triggering standard sign-in alerts.
- Two distinct threat clusters, UNK_pyreq2323 and UNK_OutFlareAZ, have launched large-scale campaigns targeting millions of accounts across thousands of tenants using AWS and Cloudflare infrastructure respectively.
- The technique leverages the Resource Owner Password Credentials (ROPC) flow, allowing attackers to infer account and password validity through specific AADSTS error codes while bypassing per-application Conditional Access policies.
- Detection is hindered because spoofed client IDs result in blank application names in logs, preventing correlation-based detections and rate-limiting mechanisms from functioning effectively.
Why It Matters
This vulnerability represents a significant shift in identity-based attack tradecraft, moving beyond simple credential stuffing to sophisticated enumeration that evades existing security telemetry. For AI practitioners and security researchers, it highlights critical gaps in how machine learning models and rule-based systems interpret authentication logs when key contextual fields (like application names) are manipulated or missing. Organizations must urgently reassess their detection logic to account for these evasion techniques, as traditional per-application monitoring is rendered ineffective.
Technical Details
- Mechanism: Attackers send HTTP POST requests to the Microsoft OAuth 2.0 token endpoint using the ROPC flow, injecting syntactically valid but non-existent OAuth client IDs (UUIDs).
- Telemetry Evasion: When a spoofed client ID is used, Microsoft Entra ID records the application ID but leaves the application name blank in sign-in logs. This breaks detection rules that rely on tracking surges against specific named applications.
- Error Code Analysis: The system returns distinct AADSTS error codes based on whether the provided client ID is recognized. Attackers parse these responses to determine if a username exists and if the password is correct, effectively performing credential validation without a successful login event.
- Campaign Specifics:
- UNK_pyreq2323: Used over 700,000 spoofed IDs from AWS, targeting 1M+ accounts across 4,000 tenants. It modified trailing digits of known IDs and reused them across up to 12 users.
- UNK_OutFlareAZ: Started in Dec 2025, using Cloudflare infrastructure to target 2M+ users with 3.7M randomized IDs, enumerating users alphabetically and generating a unique ID per request.
- Policy Bypass: Since the client IDs do not correspond to registered applications, Conditional Access policies scoped to specific applications fail to trigger, allowing the attacks to proceed unimpeded.
Industry Insight
- Shift in Detection Strategy: Security teams must move away from relying solely on per-application telemetry. Implementing behavioral analytics that detect anomalies in authentication failure patterns, regardless of the application name field, is essential.
- Infrastructure Monitoring: Given the use of major cloud providers (AWS, Cloudflare) for these campaigns, integrating IP reputation data and monitoring for high-volume authentication requests originating from known cloud infrastructure ranges can help identify and block these threats early.
- Policy Hardening: Organizations should review Conditional Access policies to ensure they are not overly reliant on application-specific scoping. Broadening detection scopes to include all authentication attempts, particularly those involving ROPC flows or unusual client ID patterns, will improve visibility into these evasion techniques.
Disclaimer: The above content is generated by AI and is for reference only.