Full Report
At least two distinct threat actors are weaponizing a novel evasion technique called OAuth client ID spoofing in cloud campaigns, while slipping past telemetry. The activity allows users to enumerate user accounts and validate stolen credentials in Microsoft Entra ID environments, without ever generating a successful sign-in event that would otherwise alert defenders. And bad actors have begun
Analysis Summary
# Tool/Technique: OAuth Client ID Spoofing
## Overview
OAuth Client ID Spoofing is a novel evasion technique used against Microsoft Entra ID (formerly Azure AD) environments. By supplying syntactically valid but non-existent or "spoofed" OAuth client IDs during authentication requests, attackers can enumerate user accounts and validate passwords. The technique exploits a telemetry "blind spot" where Entra ID returns specific error codes that reveal credential validity without generating a successful sign-in log that typically triggers security alerts.
## Technical Details
- **Type**: Technique / Evasion
- **Platform**: Cloud (Microsoft Entra ID / Microsoft 365)
- **Capabilities**: Account enumeration, credential validation, telemetry evasion, bypass of application-based detection.
- **First Seen**: December 2025
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1078.004 - Valid Accounts: Cloud Accounts
- **TA0006 - Credential Access**
- T1110.001 - Brute Force: Password Guessing
- T1110.003 - Brute Force: Password Spraying
- **TA0007 - Discovery**
- T1087.004 - Account Discovery: Cloud Account
- **TA0005 - Defense Evasion**
- T1562 - Impair Defenses (Slipping past telemetry)
## Functionality
### Core Capabilities
- **Credential Validation**: By analyzing AADSTS error codes in response to ROPC (Resource Owner Password Credentials) flows, attackers determine if a password is correct for a specific user.
- **Account Enumeration**: Distinguishes between valid and invalid usernames based on the variations in the error responses provided by the Microsoft Entra ID token endpoint.
- **Telemetry Evasion**: Using a spoofed client ID causes the Entra sign-in log to leave the "Application Name" field blank. This bypasses security monitoring tools that focus on spikes in activity against known application names.
### Advanced Features
- **MALFORMED UUID Handling**: Entra ID processes malformed (non-UUIDv4) client IDs differently, providing unique error responses that further assist in refining enumeration.
- **Scale and Infrastructure**: Attackers have been observed using large-scale cloud infrastructure (AWS and Cloudflare) to rotate source IPs and automate the spoofing process against millions of users.
## Indicators of Compromise
- **File Hashes**: N/A (Cloud-based technique)
- **File Names**: N/A
- **Registry Keys**: N/A
- **Network Indicators**:
- Requests to `https://login.microsoftonline[.]com/common/oauth2/v2.0/token`
- Traffic originating from AWS or Cloudflare IP ranges associated with UNK_pyreq2323 or UNK_OutFlareAZ.
- **Behavioral Indicators**:
- Entra ID Sign-in logs with a populated **Application ID** but a **blank Application Name**.
- High volume of AADSTS error codes associated with failed logins from a specific source without any recorded successful logins.
- User-Agent spoofing (e.g., using strings associated with legacy apps like "Windows Live Custom Domains").
## Associated Threat Actors
- **UNK_pyreq2323**: Observed using over 700,000 spoofed IDs to target 1 million accounts.
- **UNK_OutFlareAZ**: Targeted over 2 million users using 3.7 million randomized spoofed application IDs.
- **UNK_CustomCloak**: Known for orchestrating brute-force campaigns using legacy app identifiers.
## Detection Methods
- **Behavioral Detection**:
- Monitor for sign-in logs where the `AppDisplayName` is null or empty while the `AppId` is present.
- Audit for spikes in AADSTS error codes (e.g., `50126` for invalid credentials) across multiple user accounts originating from the same IP range.
- **Identity Protection**: Enable Microsoft Entra ID Identity Protection to flag "unfamiliar sign-in properties" or "at-risk users" involved in high-volume failed authentication attempts.
## Mitigation Strategies
- **Enforce MFA**: Multi-Factor Authentication prevents attackers from leveraging validated credentials for actual access.
- **Disable ROPC**: Disable or restrict the Resource Owner Password Credentials flow, as it is a legacy flow that facilitates these password-based attacks.
- **Conditional Access**: Implement strict Conditional Access Policies (CAPs) to block authentication attempts from untrusted locations or non-compliant devices.
- **Continuous Monitoring**: Shift detection logic to focus on `AppId` GUIDs rather than just human-readable `AppTitles`.
## Related Tools/Techniques
- **ROPC Password Spraying**: The underlying flow used for this technique.
- **User-Agent Spoofing**: Often used in conjunction to bypass legacy security filters.
- **Smart Lockouts**: Microsoft's native defense which may be triggered by these campaigns (observed 28% lockout rate in some campaigns).