Full Report
Organizations should check their logs for signs of an increasingly popular obfuscation technique, Proofpoint said.
Analysis Summary
# Tool/Technique: OAuth Client ID Spoofing (Entra ID Enumeration)
## Overview
This technique involves threat actors spoofing OAuth client identifiers (IDs) during the authentication process with Microsoft Entra ID (formerly Azure AD). By faking these IDs—often using non-existent or "garbage" identifiers—attackers can perform stealthy user enumeration and validate credentials without triggering typical security alerts or conditional access policies.
## Technical Details
- **Type:** Technique (Obfuscation / Reconnaissance)
- **Platform:** Microsoft Entra ID (Cloud Environments)
- **Capabilities:** User enumeration, password validity inference, bypass of application-specific security policies.
- **First Seen:** December 2025 (Wave 1); January 2026 (Wave 2)
## MITRE ATT&CK Mapping
- **[TA0007 - Discovery]**
- [T1087.004 - Account Discovery: Cloud Account]
- [T1033 - System Owner/User Discovery]
- **[TA0006 - Credential Access]**
- [T1110.001 - Brute Force: Password Guessing]
- **[TA0005 - Defense Evasion]**
- [T1562 - Impair Defenses]
- [T1078.004 - Valid Accounts: Cloud Accounts]
## Functionality
### Core Capabilities
- **User Enumeration:** Allows unauthenticated attackers to identify valid usernames within an organization's Entra ID directory.
- **Credential Validation:** Attackers can infer if a password is correct based on the specific error responses returned, all without generating a "successful sign-in" event in the logs.
- **Log Obfuscation:** By using spoofed or fake IDs, the "Application" field in Entra ID sign-in logs frequently appears blank or contains random strings, making it difficult for automated tools to trend-match the activity.
### Advanced Features
- **Conditional Access Bypass:** Because the spoofed client ID does not correspond to a registered, legitimate application, security policies (Conditional Access) scoped to specific apps are never triggered.
- **Scalability:** Observed campaigns utilized millions of unique spoofed IDs across thousands of target organizations, indicating highly automated tooling.
## Indicators of Compromise
- **File Hashes:** N/A (Cloud-based technique)
- **File Names:** N/A
- **Registry Keys:** N/A
- **Network Indicators:** While specific IPs were not listed in the summary, defenders should look for high-volume requests from unfamiliar IP ranges targeting Entra ID endpoints.
- **Behavioral Indicators:**
- Sign-in logs with a **blank** or **null** "Application" field.
- Large volumes of failed sign-in attempts using non-existent OAuth Client IDs.
- Patterns of "User Not Found" vs "Incorrect Password" timing/responses.
## Associated Threat Actors
- **Multiple Unnamed Actors:** Proofpoint suggests independent adoption by various groups due to distinct infrastructure and execution patterns.
## Detection Methods
- **Log Analysis:** Specifically monitor Microsoft Entra ID sign-in logs for entries where the `AppId` or `Client ID` field is empty, null, or does not map to a recognized application in the environment.
- **Behavioral Detection:** Implement alerts for high-frequency authentication failures across multiple accounts originating from a single IP address, even if they don't target a specific known application.
- **Anomalous Volume:** Monitor for "Unknown" client ID strings appearing suddenly in large quantities.
## Mitigation Strategies
- **Tenant-Wide Policies:** Shift from application-specific Conditional Access policies to tenant-wide policies that apply to "All Cloud Apps."
- **Strict MFA:** Enforce Multi-Factor Authentication (MFA) for all users to nullify the impact of validated passwords.
- **Continuous Monitoring:** Utilize Identity Protection tools within Entra ID to flag risky sign-ins and "impossible travel" scenarios that often follow successful enumeration.
## Related Tools/Techniques
- **OAuth Device Code Flow Phishing:** Another method of abusing OAuth for unauthorized access.
- **Password Spraying:** The broader category of attack this technique enhances.
- **Cloud Enumeration Tools:** (e.g., Microburst, AADInternals) often use similar API-level probing.