Attackers Exploit Spoofed OAuth Client IDs to Stealthily Enumerate Credentials at Scale

Published:

spot_img

Attackers Exploit Spoofed OAuth Client IDs to Stealthily Enumerate Credentials at Scale

Recent investigations by cybersecurity researchers have unveiled a series of sophisticated campaigns where attackers employ OAuth client ID spoofing to execute stealthy credential enumeration. This technique involves manipulating the unique application identifiers assigned to OAuth applications, which are crucial for authentication requests and are logged in Entra sign-in records.

The Role of Entra Sign-In Logs

Entra sign-in logs serve as a vital telemetry source for security teams, enabling them to detect malicious authentication activities such as user enumeration, password spraying, and initial access attempts. Attackers have adapted their strategies to evade detection by distributing authentication requests through rotating user agents and proxy services that change source IP addresses with each request. This makes it increasingly difficult for security systems to identify and respond to unauthorized access attempts.

Spoofed client IDs allow attackers to enumerate accounts without needing a registered OAuth application, thereby inferring the validity of both passwords and accounts without triggering a successful sign-in event. This evasion tactic is particularly concerning in regions where credential theft is prevalent. The UAE Cybersecurity Council has reported that over 75% of cyber breaches in the country originate from phishing or fraudulent messages, highlighting the critical need for effective countermeasures against such tactics.

Implications for Cybersecurity in the UAE

The implications of these findings are significant for the UAE, where credential theft is a dominant entry point for cyberattacks. The ability to confirm which accounts exist and which passwords are valid without generating a successful sign-in event directly feeds into the existing vulnerabilities. When attackers use spoofed client IDs, no corresponding application name is recorded in the sign-in logs, which can lead to missed detections for surges in activity against specific applications.

Proofpoint’s threat research team has noted that this logging behavior enables unauthenticated attackers to enumerate users and validate credentials without raising alarms. Even when such activities are detected, defenders may not recognize that valid credentials have been identified, potentially overlooking compromised accounts entirely.

Evasion Tactics and Traditional Enumeration Tools

Traditional enumeration tools often target built-in first-party applications, such as command-line tools like Azure AD PowerShell, which are present in all tenants and have historically posed challenges for multi-factor authentication (MFA) enforcement. Security operations center teams typically respond to surges in authentication requests directed at a single application. However, by fragmenting these requests across numerous fictitious applications, attackers can make their activities harder to correlate, thereby evading per-application detections and rate limiting.

Organizations may attempt to counteract traditional enumeration attacks by implementing Conditional Access (CA) policies tailored to applications frequently targeted for enumeration. However, spoofed client IDs do not trigger these CA policies, allowing attackers to bypass such defenses.

Active Campaigns and Their Scale

Proofpoint has documented this technique in active campaigns, with the first, identified as UNK_pyreq2323, emerging on January 14, 2026. This campaign involved the distribution of enumeration attempts across more than 700,000 spoofed client IDs. The activity peaked in late January and early February before tapering off by early March. Originating from AWS infrastructure, this campaign targeted over one million unique user accounts across nearly 4,000 tenants, resulting in account lockouts for approximately 28% of the targeted users.

A subsequent campaign, tracked as UNK_OutFlareAZ, began in December 2025 and demonstrated the same client ID spoofing technique but on a larger scale. This campaign, primarily originating from Cloudflare infrastructure, targeted more than 2 million users and utilized 3.7 million spoofed application IDs. The activity unfolded in two distinct waves: the first peaked in late December with around 242,000 users, while a second wave escalated in early February, reaching approximately 720,000 users by March 15.

Patterns and Techniques Observed

A notable trend in both campaigns was the reuse of generic usernames across multiple tenants, such as dsmith, msmith, and jbrown. This pattern suggests that attackers employed a common wordlist of generic usernames, as Entra ID only records attempts against valid accounts.

While both campaigns utilized OAuth client ID spoofing for user enumeration, variations in user agents, infrastructure, and enumeration patterns indicate that they were likely conducted by different operators or tools. For instance, UNK_pyreq2323 modified the trailing digits of a known application ID, reusing spoofed IDs across multiple users. In contrast, UNK_OutFlareAZ generated unique client IDs for each request and enumerated users alphabetically, a more sophisticated approach that limits correlation.

These distinctions underscore the independent adoption of the same underlying technique, reinforcing the assessment that OAuth client ID spoofing is becoming a prevalent method among threat actors.

Recommendations for Security Teams

OAuth client ID spoofing enables attackers to enumerate accounts and validate credentials at scale without generating successful sign-in events in Entra ID logs. The emergence of multiple campaigns employing unique tools and infrastructure suggests that this technique is gaining traction among threat actors targeting cloud environments.

Beyond evading sign-in telemetry, spoofed client IDs provide additional advantages, such as distributing attacks across seemingly legitimate applications and potentially bypassing downstream detections reliant on populated application name fields.

Security teams are advised to treat sign-in log entries with blank application IDs or those lacking a corresponding application name as potential indicators of client ID spoofing. Additionally, they should recognize that certain authentication errors may signal compromised credentials rather than mere failed login attempts.

Source: securitymea.com

Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.

spot_img

Related articles

Recent articles

Russia’s FSB Blamed for Poland’s Grid Attack as UK and EU Launch Coordinated Cyber Sanctions

Russia's FSB Blamed for Poland's Grid Attack as UK and EU Launch Coordinated Cyber Sanctions A significant cyberattack last winter, which nearly disrupted heating for...

AI Management Emerges as a Crucial Priority Over Development, Asserts UiPath Executive

AI Management Emerges as a Crucial Priority Over Development, Asserts UiPath Executive As organizations in the UAE and Saudi Arabia advance in their artificial intelligence...

Digital Forensics Strengthens Case Against Jason Cunningham in £113,000 Property Investment Fraud

Digital Forensics Strengthens Case Against Jason Cunningham in £113,000 Property Investment Fraud A significant property investment fraud case in the United Kingdom has highlighted the...

CISA Issues Critical Lessons Following Six-Month GitHub Data Leak

CISA Issues Critical Lessons Following Six-Month GitHub Data Leak The Cybersecurity and Infrastructure Security Agency (CISA) has released a detailed postmortem regarding a significant data...