Invisible OAuth Spoofing Campaigns Put Millions of Microsoft Entra Accounts at Risk + Video

Listen to this Post

Featured ImageIntroduction: A New Era of Credential Validation Without Logging In

Cybercriminals are constantly searching for ways to stay one step ahead of enterprise security teams. While organizations continue investing in stronger authentication, multi-factor authentication, and advanced monitoring, attackers are quietly discovering overlooked behaviors within identity platforms that allow them to verify stolen credentials without ever completing a successful login.

Researchers at Proofpoint have uncovered a sophisticated technique that abuses Microsoft Entra ID’s OAuth authentication process by spoofing OAuth application client IDs. Rather than exploiting a software vulnerability, attackers leverage the platform’s response logic to determine whether usernames and passwords are valid. Because these authentication attempts never successfully sign in, they often avoid the attention of traditional security monitoring systems.

This discovery highlights a dangerous evolution in identity-based attacks. Instead of breaking into systems immediately, threat actors are investing time in quietly building highly accurate credential databases that can later be used for phishing, business email compromise, ransomware, and cloud account takeovers.

Understanding the Newly Discovered OAuth Client ID Spoofing Technique

Proofpoint researchers revealed that attackers are abusing

Normally, an OAuth authentication request includes several parameters:

Username

Password

Client ID (Application Identifier)

The Client ID identifies a legitimate application that has been registered inside Microsoft Entra ID.

However, researchers discovered that Microsoft accepts authentication requests even when the Client ID is completely fabricated.

Instead of immediately rejecting the request, Microsoft processes enough of the authentication workflow to determine whether the supplied credentials are valid before eventually returning an application-related error.

This subtle behavior gives attackers an unexpected source of intelligence.

Why Error Messages Become an

Microsoft Entra returns different authentication error codes depending on what failed during the authentication attempt.

Those differences become extremely valuable to attackers.

For example:

AADSTS50034 indicates the username does not exist.

AADSTS50126 confirms the username exists but the password is incorrect.

AADSTS700016 reports that the application identifier is invalid or unknown.

The most concerning scenario occurs when attackers receive AADSTS700016 after submitting a fake Client ID together with stolen credentials.

Rather than simply indicating an application problem, this response can strongly suggest that both the username and password are actually correct.

In other words, attackers can verify stolen credentials without ever successfully authenticating.

Why This Matters for Enterprise Security

Traditional security monitoring often focuses on successful logins or repeated failures against known Microsoft applications such as:

Exchange Online

Azure AD PowerShell

Microsoft Graph

Office applications

Since attackers are no longer using legitimate application IDs, these detections become far less effective.

Instead of repeatedly targeting one application, every authentication request appears to originate from an entirely different fake application.

Security teams lose one of their strongest correlation points.

How Attackers Hide Their Activity

Microsoft Entra normally records:

Application ID

Application Name

during authentication events.

With spoofed OAuth requests:

Random Client IDs may appear without any application name.

Malformed Client IDs may remove both application fields entirely.

Although Microsoft still logs authentication activity, analysts may incorrectly classify these events as harmless application registration errors instead of active credential validation attempts.

This significantly complicates incident response investigations.

The First Campaign: UNK_pyreq2323

Proofpoint identified the first large-scale campaign beginning on January 14, 2026.

Researchers tracked the operation under the name UNK_pyreq2323.

Key characteristics included:

AWS-hosted infrastructure

python-requests/2.32.3 user agent

More than one million targeted user accounts

Nearly 4,000 Microsoft Entra tenants attacked

More than 700,000 spoofed OAuth Client IDs generated

Rather than creating completely random identifiers, attackers copied the beginning of Microsoft’s legitimate Exchange Online Client ID before randomizing only the last six characters.

This made the fake identifiers appear more realistic while reducing detection accuracy.

Each fabricated Client ID was reused against only a small number of users.

Because no single application generated massive authentication traffic, behavioral detection became much harder.

Even more concerning, approximately 28% of targeted users reportedly experienced account lockouts due to repeated authentication attempts.

The Second Campaign: UNK_OutFlareAZ

An even larger campaign started several weeks earlier in December 2025.

Proofpoint named this operation UNK_OutFlareAZ.

Its scale was remarkable.

Researchers observed:

More than two million targeted users

Approximately 3.7 million spoofed OAuth application identifiers

Cloudflare-hosted infrastructure

Additional distributed cloud services

Microsoft Outlook-style User Agent

Unlike the previous campaign, every authentication request generated an entirely new UUIDv4-style Client ID.

No fake application identifier was reused.

This one-time-use strategy dramatically reduced opportunities for correlation and detection.

Comparing Both Threat Operations

Although both campaigns relied on the same authentication weakness, they demonstrated notable operational differences.

UNK_pyreq2323 favored AWS infrastructure and partially cloned

UNK_OutFlareAZ instead generated fully random Client IDs while operating through Cloudflare infrastructure and mimicking Microsoft Outlook traffic.

These differences suggest independent threat actors or separate attack frameworks rather than one coordinated campaign.

Despite their differences, both campaigns share the same objective: quietly validating stolen Microsoft credentials while remaining below the detection threshold of conventional identity monitoring.

Why OAuth Client ID Spoofing Changes the Threat Landscape

Credential attacks have traditionally been noisy.

Password spraying, brute-force attacks, and credential stuffing usually produce obvious authentication failures that security teams can investigate.

OAuth Client ID spoofing changes that assumption.

Instead of relying on repeated attempts against recognizable Microsoft applications, attackers distribute authentication requests across hundreds of thousands or even millions of fake application identifiers.

Every request appears unique.

Correlation becomes significantly harder.

Detection rules built around application reputation lose effectiveness.

Conditional Access policies targeting specific applications may never activate because the application itself does not actually exist.

This represents a fundamental shift in cloud identity attacks.

Enterprise Security Implications

Organizations relying exclusively on Microsoft Entra sign-in analytics may unknowingly overlook these activities.

Identity monitoring strategies should evolve beyond application-based correlation.

Security teams should begin analyzing:

Authentication requests lacking application names

Unknown Client IDs

Large volumes of AADSTS700016 responses

Authentication attempts originating from rotating cloud infrastructure

Abnormal User-Agent strings

High-frequency ROPC authentication requests

Combining behavioral analytics with identity intelligence will become increasingly important as attackers continue exploiting legitimate authentication workflows.

Deep Analysis

This technique demonstrates that modern cyberattacks increasingly exploit authentication logic instead of software vulnerabilities. The attack does not compromise Microsoft Entra itself; it abuses expected platform behavior to gather intelligence. From an attacker’s perspective, knowing whether credentials are valid is almost as valuable as obtaining immediate access because validated credentials can later be sold, reused in phishing campaigns, or leveraged against services where MFA is absent.

Security Operations Centers (SOCs) should create detections around authentication anomalies rather than focusing solely on successful sign-ins. Monitoring repeated ROPC requests, unknown client identifiers, and unusual authentication error distributions can expose credential validation campaigns early.

Useful Microsoft hunting examples include:

Microsoft Sentinel (KQL)

SigninLogs

| where ResultType in (700016,50126,50034)

| summarize count() by AppId, ResultType, IPAddress

| order by count_ desc

Identify Missing Application Names

SigninLogs

| where isempty(AppDisplayName)

| project TimeGenerated, UserPrincipalName, AppId, IPAddress

PowerShell Audit

Get-MgAuditLogSignIn |
Where-Object {$_.AppDisplayName -eq $null}

Azure CLI

az monitor activity-log list

Microsoft Defender Advanced Hunting

IdentityLogonEvents

| where ActionType contains Logon

| where AdditionalFields contains 700016

Security recommendations include:

Disable the ROPC authentication flow wherever possible.

Enforce phishing-resistant Multi-Factor Authentication using FIDO2 or passkeys.

Block legacy authentication methods.

Monitor cloud infrastructure IP ranges commonly abused by attackers.

Alert on authentication requests with missing or unknown application names.

Correlate authentication failures by IP address and User-Agent rather than App ID alone.

Review Conditional Access policies to ensure they are not overly dependent on application-specific rules.

Continuously monitor for spikes in AADSTS700016 responses.

Organizations that combine identity telemetry with behavioral analytics will be significantly better positioned to detect this evolving class of authentication abuse.

What Undercode Say:

Identity attacks are evolving beyond password guessing into precision reconnaissance. OAuth Client ID spoofing is a perfect example of attackers weaponizing normal cloud authentication behavior rather than exploiting traditional software flaws.

This technique is particularly dangerous because it exploits trust in authentication logs. Security analysts often prioritize successful logins or repeated failures tied to known Microsoft applications. Here, attackers deliberately eliminate that correlation point.

The massive scale observed by Proofpoint also reflects increasing automation within cybercrime. Generating millions of unique OAuth Client IDs is computationally trivial, making signature-based detection nearly impossible.

Another concern is the use of globally distributed cloud infrastructure such as AWS and Cloudflare. Traffic originating from reputable providers is less likely to be immediately blocked, allowing attackers to blend into legitimate internet traffic.

The abuse of ROPC should also reignite discussions about retiring legacy authentication flows. Although many organizations have modernized authentication, older applications frequently continue relying on ROPC for compatibility, unintentionally expanding the attack surface.

This research further demonstrates that cloud identity has become the new perimeter. Modern attackers no longer need malware on endpoints if they can quietly validate credentials and wait for the right opportunity.

The distinction between authentication failure and authentication intelligence is becoming increasingly blurred. Every error message returned by an identity provider may provide useful information to an attacker.

Defenders should shift away from static IOC-based detections toward behavioral identity analytics that examine relationships between IP addresses, error codes, User-Agent strings, authentication frequency, and cloud infrastructure patterns.

Another overlooked challenge is incident response. Analysts investigating isolated AADSTS700016 events may dismiss them as configuration issues, while attackers interpret them as confirmation of valid credentials. This asymmetry gives threat actors a significant advantage.

Organizations should also recognize that account lockouts are no longer simply a denial-of-service side effect. They can serve as indicators of credential validation campaigns operating at internet scale.

As identity providers continue expanding OAuth ecosystems, similar logic-based abuses will likely emerge across other authentication protocols. Defensive strategies must evolve beyond protecting passwords to understanding the behavior of identity platforms themselves.

Ultimately, the discovery reinforces a broader industry trend: cloud identity security is becoming the primary battlefield in enterprise cybersecurity, and attackers are proving remarkably creative in exploiting every observable behavior exposed by authentication services.

✅ Proofpoint disclosed large-scale campaigns abusing spoofed OAuth Client IDs within Microsoft Entra ID, identifying operations tracked as UNK_pyreq2323 and UNK_OutFlareAZ.

✅ Microsoft Entra authentication responses can reveal different AADSTS error codes, allowing attackers to distinguish between invalid usernames, incorrect passwords, and application-related failures under specific authentication scenarios.

✅ The reported campaigns targeted millions of accounts using cloud-hosted infrastructure and massive numbers of spoofed application identifiers, illustrating a shift toward stealthier identity reconnaissance rather than direct account compromise.

Prediction

(+1) Identity providers are likely to strengthen OAuth validation logic, reduce information leakage from authentication responses, and improve logging around unregistered Client IDs, making similar reconnaissance campaigns easier to detect.

(-1) Threat actors will continue automating identity reconnaissance with AI-assisted tooling, generating billions of unique OAuth Client IDs and increasingly distributing authentication attempts across trusted cloud providers to evade conventional security monitoring before organizations fully adapt.

▶️ Related Video (84% Match):

🕵️‍📝Let’s dive deep and fact‑check.

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

References:

Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.quora.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube