SecurityBrief US - Technology news for CISOs & cybersecurity decision-makers
United States
Proofpoint spots Entra ID spoofing attack technique

Proofpoint spots Entra ID spoofing attack technique

Tue, 14th Jul 2026 (Yesterday)
Sean Mitchell
SEAN MITCHELL Publisher

Proofpoint has identified a cloud attack technique that lets threat actors enumerate Microsoft Entra ID accounts by spoofing OAuth client IDs. The method has appeared in multiple large-scale campaigns.

Attackers can use fake client identifiers in authentication requests to test whether usernames exist, infer whether passwords are valid and identify viable accounts without registering an OAuth application. In doing so, they avoid generating the successful sign-in events that security teams often rely on to monitor Microsoft Entra environments.

The technique hinges on how Entra responds to requests sent to Microsoft's OAuth token endpoint under the Resource Owner Password Credentials flow. Different AADSTS error codes reveal whether a username is invalid, whether a password is wrong and, in some cases, whether a username and password pair is valid even when the application identifier itself is not recognised.

That behaviour creates a visibility gap for defenders. When a supplied client ID has the correct format but does not belong to a real application, Entra records the application ID in sign-in logs but leaves the application name blank. If the client ID is malformed, both the application ID and application name may be absent, while the response can still give attackers useful feedback.

Detection gap

Security teams often look for spikes in activity linked to a particular application, especially commonly abused first-party Microsoft tools. Spoofed client IDs make that harder because the activity can be spread across large numbers of fictional applications, reducing the usefulness of per-application detections and making correlation more difficult.

The method also weakens some policy-based controls. Conditional Access rules scoped to named applications may not apply when attackers use spoofed client IDs instead of genuine application identifiers associated with the software defenders expect to see in enumeration or password-spraying activity.

One sign of this activity is Entra sign-in events with no application name. Proofpoint also warned that the AADSTS700016 error, which indicates an application identifier is not recognised, may in some cases reflect valid credentials rather than a simple failed login.

Campaigns observed

Proofpoint tracked at least two large campaigns that used the approach at scale and appeared to be separate operations. Differences in user agents, infrastructure, how client IDs were generated and the order in which users were tested suggested independent adoption by different operators rather than a single campaign.

One campaign, which Proofpoint tracks as UNK_pyreq2323, distributed enumeration attempts across more than 700,000 spoofed client IDs. According to the research, it used the user agent python-requests/2.32.3 and originated from Amazon Web Services infrastructure.

That activity targeted more than one million unique user accounts across nearly 4,000 Entra tenants. The volume of failed attempts triggered account lockouts for about 28% of targeted users.

In that campaign, the attacker used a relatively simple method to create spoofed identifiers. Instead of generating fully random values, the operator took the prefix of the Exchange Online application ID and randomised the final six digits. The spoofed IDs were reused across small numbers of users, with no single fake identifier observed against more than 12 accounts.

A second campaign, tracked as UNK_OutFlareAZ, operated on a larger scale. It targeted more than 2 million users and used 3.7 million spoofed application IDs, with activity coming mainly from Cloudflare infrastructure.

Unlike the first operation, this campaign generated a unique random UUIDv4 client ID for each authentication attempt. That reduced reuse and made it harder to link requests through a shared application identifier. The user agent in these requests appeared as Microsoft Office/16.0, which Proofpoint said it had seen in other enumeration activity over several years.

Researchers also observed repeated username patterns across multiple tenants in the second campaign, including common formats such as dsmith, msmith and jbrown. Because Entra logs attempts only against valid accounts, those patterns suggest the attackers were using a common wordlist of generic usernames across many organisations.

Broader shift

The findings indicate that client ID spoofing is moving beyond a niche tactic and becoming part of the standard playbook for cloud-focused identity attacks. Rather than exploiting a software flaw, the activity takes advantage of standard authentication behaviour and the limits of the telemetry available to defenders.

For security teams, the practical challenge is that the attack can expose valid usernames and even working credentials without producing a successful sign-in event. As a result, investigations into what appears to be simple failed authentication traffic may miss the more serious possibility that attackers have already identified accounts they can use.

Proofpoint urged defenders to scrutinise sign-in logs for entries with missing application names or missing application IDs, and to treat those anomalies as possible evidence of OAuth client ID spoofing.