Close Menu
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice

Subscribe to Updates

Get the latest creative news from FooBar about art, design and business.

What's Hot

Pakistani Police Systems Hit by Chinese and Indian Espionage

July 13, 2026

Novel OAuth Client ID Spoofing Technique Targets Cloud Environments

July 13, 2026

RedWing MaaS Packages Android Bank Fraud as a Telegram Rental Service

July 13, 2026
Facebook X (Twitter) Instagram
Monday, July 13
Facebook X (Twitter) Instagram Pinterest Vimeo
Cyberwire Daily
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice
Cyberwire Daily
Home»News»Novel OAuth Client ID Spoofing Technique Targets Cloud Environments
News

Novel OAuth Client ID Spoofing Technique Targets Cloud Environments

Team-CWDBy Team-CWDJuly 13, 2026No Comments3 Mins Read
Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
Share
Facebook Twitter LinkedIn Pinterest Email


Cyber-attackers are increasingly deploying a stealthy technique which enables them to spoof OAuth Client IDs to gain access to cloud environments, cybersecurity experts have warned.

According to research by analysts at Proofpoint, cybercriminals are leveraging Microsoft Entra ID, the tech giant’s cloud-based identity and access management solution, formerly known as Azure AD, to gain access to accounts without a registered OAuth client ID.

The nature of the technique means that it is difficult for defenders to identify suspicious activity, while at the same time, the attackers are provided with stealthy access to the organization’s cloud services.

OAuth client ID spoofing has emerged as a novel technique and is increasingly leveraged in campaigns which target the cloud, Proofpoint warned in a blog post published on July 13.

Entra sign‑in logs are common tool for defenders to aid with identifying malicious authentication activity, such user enumeration. User enumeration is an attack technique when a malicious actor uses brute-force and password spraying to guess or confirm the login ID of a real user.

However, the research details how attackers are exploiting OAuth client ID spoofing to bypass detection by Entra sign-in logs, therefore helping them to stealthily compromise enterprise cloud services. 

Evading Detection via Microsoft Entra

Proofpoint explained that client ID spoofing was performed by issuing POST requests to Microsoft’s OAuth 2.0 token endpoint using the Resource Owner Password Credentials (ROPC) flow, which allowed direct submission of usernames and passwords.

This results in Azure Active Directory Security Token Service (AADSTS) error codes which allows unauthenticated requestors to infer the validity of usernames and passwords, as well as the enforcement of additional controls such as multi-factor authentication (MFA) or zero-trust concepts like conditional access (CA).

With this information, the attackers could identify accounts which could be exploited. Crucially, the use of the spoofed IDs and blank fields in Entra ID logs makes the malicious activity harder for defenders to identify.

Proofpoint said that it has tracked multiple large-scale campaigns deploying this technique, targeting millions of user accounts across thousands of Microsoft Entra tenants in the wild.

They note how the attackers make attempts to spoof common usernames to aid the process of client ID spoofing. Some examples listed in the blog include, initials paired with common surnames such as Smith, Jones, Williams, and Johnson leading to requests made with logins like jsmith, ajohnson and awilliams.

By doing this, attackers are not only taking advantage of how common the names are, but also how unlikely it is that the organization will change their username to something more complex.

Researchers warned that organizations should expect more attackers to look for ways to exploit this technique.

“The emergence of multiple campaigns with unique tools and infrastructure suggests this technique is gaining traction among threat actors targeting cloud environments,” the blog post warned.

Proofpoint said that in response to this tactic, defenders should treat sign-in log entries with blank application IDs, or those without a correspond application name, as potential indicators of client ID spoofing.

They also suggested that defenders should be alert that an AADSTS700016 error code may signal compromised credentials, not just a failed login attempt. 



Source

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
Previous ArticleRedWing MaaS Packages Android Bank Fraud as a Telegram Rental Service
Next Article Pakistani Police Systems Hit by Chinese and Indian Espionage
Team-CWD
  • Website

Related Posts

News

RedWing MaaS Packages Android Bank Fraud as a Telegram Rental Service

July 13, 2026
News

Hacker Extradited from Ukraine Pleads Guilty to Ryuk Ransomware Charge

July 13, 2026
News

Rogue Agent Flaw Could Have Let Attackers Hijack Google Dialogflow CX Chatbots

July 13, 2026
Add A Comment
Leave A Reply Cancel Reply

Latest News

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202523 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views

Why SOC Burnout Can Be Avoided: Practical Steps

November 14, 20259 Views

Cyber M&A Roundup: Cyber Giants Strengthen AI Security Offerings

December 1, 20258 Views
Stay In Touch
  • Facebook
  • YouTube
  • TikTok
  • WhatsApp
  • Twitter
  • Instagram
Most Popular

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202523 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views
Our Picks

Find your weak spots before attackers do

November 21, 2025

Here’s how to avoid a ‘second strike’

April 11, 2026

What it takes to fool facial recognition

March 14, 2026

Subscribe to Updates

Get the latest news from cyberwiredaily.com

Facebook X (Twitter) Instagram Pinterest
  • Home
  • Contact
  • Privacy Policy
  • Terms of Use
  • California Consumer Privacy Act (CCPA)
© 2026 All rights reserved.

Type above and press Enter to search. Press Esc to cancel.