OAuth Client ID Spoofing Enables Stealthy Cloud Account Enumeration  | eSecurity Planet

OAuth Client ID Spoofing Enables Stealthy Cloud Account Enumeration 

Proofpoint found attackers are using OAuth client ID spoofing to stealthily enumerate Microsoft Entra ID accounts.

Written By
Ken Underhill
Ken Underhill
Jul 16, 2026
5 minute read
eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

Microsoft Entra ID sign-in logs have provided defenders with critical visibility into authentication activity, helping security teams investigate user enumeration, password spraying, and other identity-based attacks. 

However, research from Proofpoint shows threat actors are increasingly using a technique called OAuth client ID spoofing to evade common detection methods while identifying valid user accounts and credentials.

Key Takeaways

  • Attackers are spoofing OAuth client IDs to enumerate Microsoft Entra ID accounts while evading common authentication-based detection methods.
  • Spoofed client IDs leave application names blank in Entra sign-in logs, reducing the visibility security teams rely on to investigate suspicious activity.
  • Proofpoint identified two large-scale campaigns that targeted millions of user accounts across thousands of Microsoft Entra tenants using different OAuth client ID spoofing techniques.
  • The campaigns demonstrate that OAuth client ID spoofing is evolving into a scalable cloud reconnaissance technique adopted by multiple threat actors.
  • Organizations should strengthen identity monitoring, risk-based access controls, and incident response readiness to improve detection of stealthy cloud identity attacks.

How OAuth client ID spoofing enables Microsoft Entra ID account enumeration  

Instead of using a legitimate OAuth application, attackers are spoofing the OAuth client ID — a globally unique identifier (GUID) assigned to every registered application in Microsoft Entra ID. 

During authentication requests, they supply fabricated or stolen client IDs rather than those associated with legitimate applications, allowing them to probe cloud identities without creating or registering an OAuth application of their own.

Under normal circumstances, every authentication request includes a client ID that identifies the application requesting access. 

When the client ID matches a registered application, Microsoft Entra ID records the application’s name in the sign-in logs, giving defenders valuable context for identifying suspicious authentication activity targeting a specific application.

Advertisement

Spoofed client IDs are harder to detect 

Spoofed client IDs remove that visibility. Because the supplied client ID does not correspond to a legitimate registered application, the application name field remains blank in Microsoft Entra sign-in logs. 

Security teams that rely on application names to detect authentication anomalies or identify attacks against specific cloud applications may overlook the activity altogether.

Proofpoint researchers also found that attackers can exploit differences in Microsoft Entra ID responses to determine whether a supplied client ID is valid and whether a targeted user account or password exists. 

By analyzing these responses, threat actors can enumerate users, validate credentials, and gather intelligence about an organization’s cloud identities without generating a successful sign-in event or leaving many of the indicators defenders traditionally monitor.

The technique is effective at scale 

The technique also makes large-scale campaigns more difficult to detect. 

Rather than concentrating authentication attempts against a handful of well-known Microsoft applications, attackers can spread requests across thousands of fictitious client IDs. 

This distributes authentication telemetry, reduces recognizable attack patterns, and may allow some Conditional Access policies scoped to specific applications to be bypassed.

OAuth client ID spoofing campaigns target millions of Microsoft Entra ID accounts 

Researchers identified two large-scale campaigns that leveraged OAuth client ID spoofing but differed significantly in their infrastructure, tooling, and execution. 

Advertisement

UNK_pyreq2323

The first campaign, tracked as UNK_pyreq2323, was initially observed on Jan. 14, 2026. 

Operating primarily from Amazon Web Services (AWS) infrastructure, the attackers generated authentication requests using the python-requests/2.32.3 user agent while distributing their activity across more than 700,000 spoofed OAuth client IDs.

According to Proofpoint, the campaign targeted more than 1 million user accounts across nearly 4,000 Microsoft Entra tenants. 

The high volume of failed authentication attempts caused account lockouts for approximately 28% of targeted users, creating operational disruption in addition to providing reconnaissance opportunities for the attackers.

Rather than generating random client IDs, the attackers modified only the final digits of the well-known Exchange Online application GUID. 

Each spoofed client ID was reused only briefly before being discarded, making it harder for defenders to correlate activity. 

UNK_OutFlareAZ

The researchers also identified a second campaign, UNK_OutFlareAZ, which began in December 2025 and operated primarily from Cloudflare infrastructure. 

Although it employed the same overall technique, the campaign was even larger in scale, targeting more than 2 million users while generating approximately 3.7 million unique spoofed application IDs.

Instead of modifying an existing application identifier, the attackers generated a completely random UUIDv4 client ID for every authentication request. 

This approach further reduced opportunities for defenders to correlate authentication events because virtually every request appeared to originate from a different application identifier. 

Advertisement

How attackers scaled cloud account enumeration 

The campaign also used a Microsoft Outlook user agent that Proofpoint has previously observed in multiple account enumeration operations.

Researchers found additional evidence that the operators were conducting broad reconnaissance across organizations. 

The attackers repeatedly tested common corporate usernames — including dsmith, msmith, and jbrown — against numerous Microsoft Entra tenants. 

Because Entra ID records authentication attempts only for valid accounts, this suggests the attackers were identifying legitimate users and common corporate username formats. 

Together, the two campaigns demonstrate that OAuth client ID spoofing is emerging as a scalable technique for large-scale cloud account enumeration while reducing the visibility defenders rely on to detect authentication-based attacks. 

How to detect and mitigate OAuth client ID spoofing in Microsoft Entra ID 

Although the two campaigns differed in infrastructure, user agents, client ID generation, and enumeration patterns, they demonstrate that OAuth client ID spoofing is becoming a widely adopted reconnaissance technique. 

As a result, organizations should look beyond successful authentication events when monitoring Microsoft Entra ID. 

  • Monitor Microsoft Entra sign-in logs for blank application names, missing application IDs, and AADSTS700016 error codes that may indicate OAuth client ID spoofing.
  • Correlate authentication activity across users, IP addresses, user agents, and failed sign-ins to identify password spraying and account enumeration campaigns.
  • Require phishing-resistant MFA, such as passkeys or FIDO2 security keys, to reduce the impact of stolen credentials.
  • Strengthen Conditional Access policies by evaluating user risk, device health, network location, and authentication strength rather than relying solely on application-based controls.
  • Disable legacy authentication methods and restrict OAuth Resource Owner Password Credentials (ROPC) wherever possible.
  • Continuously monitor Microsoft Entra Identity Protection, Defender XDR, and other identity telemetry for signs of suspicious authentication activity.
  • Regularly test identity-focused incident response plans and detection workflows to ensure teams can quickly identify, investigate, and contain cloud account enumeration attempts.

Collectively, these measures can help organizations build resilience against cloud identity attacks.

Advertisement

Bottom Line

As cloud identity attacks continue to evolve, security teams should ensure their detection strategies evolve alongside attacker techniques. 

OAuth client ID spoofing illustrates how threat actors are reducing their visibility during the reconnaissance phase, making traditional authentication monitoring alone less effective. 

Evolving identity-based attack techniques are reinforcing the need for Zero Trust solutions that help strengthen access controls and reduce blast radius.

Ken Underhill

Ken Underhill is an award-winning cybersecurity professional, bestselling author, and seasoned IT professional. He holds a graduate degree in cybersecurity and information assurance from Western Governors University and brings years of hands-on experience to the field.

eSecurity Planet Logo

eSecurity Planet is a leading resource for IT professionals at large enterprises who are actively researching cybersecurity vendors and latest trends. eSecurity Planet focuses on providing instruction for how to approach common security challenges, as well as informational deep-dives about advanced cybersecurity topics.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.