Jul 14 / Latest News

Proofpoint Identifies Surge in OAuth Client ID Spoofing Across Large‑Scale Cloud Enumeration Campaigns

Attackers are increasingly abusing OAuth client ID spoofing to quietly probe Microsoft Entra ID tenants, and new research from Proofpoint shows the technique is being adopted across multiple large‑scale campaigns.

The method takes advantage of how Entra ID responds to OAuth authentication attempts, allowing adversaries to confirm whether usernames and passwords are valid without ever generating a successful sign‑in event. As the document notes, “spoofed client IDs enable account enumeration without a registered OAuth application and allow attackers to infer password validity or account state without generating a successful sign‑in event.”

By manipulating the client_id parameter, attackers receive distinct AADSTS error codes that reveal whether an account exists, whether a password is correct, and whether MFA or Conditional Access would apply. Valid username‑password pairs return AADSTS700016 — an application‑identifier error that still confirms credential validity. Because Entra only logs attempts against real accounts, enumeration becomes both silent and difficult to correlate.

Proofpoint observed two major campaigns using this technique. One, tracked as UNK_pyreq2323, relied on AWS infrastructure and more than 700,000 spoofed identifiers derived from an Exchange Online application ID. It targeted over a million accounts across nearly 4,000 tenants, and according to the document, “this high volume of failed attempts triggered account lockouts for approximately 28% of targeted users.”

A second, larger campaign — UNK_OutFlareAZ — originated from Cloudflare infrastructure and used fully randomized UUIDv4 values, generating a unique spoofed client ID for every request. It targeted more than two million users across two waves and reused generic username wordlists across multiple organizations. The more mature spoofing approach made correlation nearly impossible.

Proofpoint’s analysis shows the two campaigns differed in user agents, infrastructure, enumeration style, and spoofing sophistication, indicating independent adoption rather than a shared toolkit. One reused spoofed IDs across multiple users, while the other generated a fresh UUID for every attempt.

The document concludes that OAuth client ID spoofing is becoming common tradecraft among cloud‑focused threat actors. Because spoofed identifiers leave the application name field blank, detections tied to specific applications may miss the activity entirely. It warns that defenders should treat sign‑in events with missing application names or IDs as potential indicators of spoofing and notes that an AADSTS700016 error may indicate valid credentials rather than a simple failed login.