Full Report
OAuth client ID spoofing lets attackers test Entra accounts and stolen passwords without successful sign-ins, leaving application names blank in logs.
Analysis Summary
# Vulnerability: OAuth Client ID Spoofing in Microsoft Entra ID
## CVE Details
- **CVE ID**: Not explicitly assigned (Design-level flaw in Entra ID telemetry/error handling).
- **CVSS Score**: N/A (Estimated Medium/High based on impact to Identity Security).
- **CWE**: CWE-200 (Exposure of Sensitive Information Through an Error Message), CWE-204 (Response Discrepancy Information Leak).
## Affected Systems
- **Products**: Microsoft Entra ID (formerly Azure Active Directory).
- **Versions**: Cloud-based service (current versions as of 2025-2026).
- **Configurations**: Environments utilizing OAuth 2.0 endpoints, specifically those allowing Resource Owner Password Credentials (ROPC) flows.
## Vulnerability Description
The flaw resides in how Microsoft Entra ID processes authentication requests containing spoofed or malformed OAuth Client IDs. When an attacker sends an HTTP POST request to the token endpoint with a syntactically valid but non-existent UUID as the `client_id`, Entra ID returns specific AADSTS error codes. These error codes differ depending on whether the username exists and if the password is correct.
Because the spoofed Client ID does not map to a registered application, Microsoft’s telemetry logs the event with a **blank application name**. This creates a "blind spot" where attackers can perform large-scale credential validation without triggering alerts tied to specific application IDs.
## Exploitation
- **Status**: Exploited in the wild (identified in campaigns by threat actors UNK_pyreq2323 and UNK_OutFlareAZ).
- **Complexity**: Low.
- **Attack Vector**: Network (Remote).
## Impact
- **Confidentiality**: Medium (Allows validation of usernames and passwords).
- **Integrity**: Low (Does not grant immediate access but facilitates subsequent account takeover).
- **Availability**: Medium (Can lead to account lockouts for legitimate users due to failed brute-force attempts).
## Remediation
### Patches
- As this is a cloud-side logic behavior, no local patches are available. Users are dependent on Microsoft to update Entra ID error handling and telemetry logging.
### Workarounds
- **Disable ROPC**: Disable the Resource Owner Password Credentials flow where not strictly necessary, as it is highly susceptible to this technique.
- **Enforce MFA**: Implementing Multi-Factor Authentication (MFA) prevents attackers from gaining access even if they validate a password via spoofing.
## Detection
- **Indicators of Compromise**:
- Sign-in logs showing AADSTS error codes (e.g., related to invalid credentials) where the **Application Name** field is empty or null.
- Large volumes of authentication requests originating from cloud infrastructure (AWS/Cloudflare) directed at the OAuth 2.0 token endpoint.
- **Detection Methods**:
- Create alerts in Microsoft Sentinel or Entra ID for sign-in attempts where `AppDisplayName` is empty.
- Monitor for spikes in AADSTS error responses tagged to a single source IP across multiple user accounts.
## References
- hxxps[://]thehackernews[.]com/2026/07/oauth-client-id-spoofing-lets-attackers.html
- hxxps[://]www[.]proofpoint[.]com/us/blog/threat-insight/oauth-client-id-spoofing-why-fake-client-ids-are-gaining-traction-stealthy
- hxxps[://]learn[.]microsoft[.]com/en-us/entra/identity-platform/reference-error-codes