OAuth Client ID Spoofing: Why Fake Client IDs Are Gaining Traction for Stealthy Enumeration

OAuth Client ID Spoofing: Why Fake Client IDs Are Gaining Traction for Stealthy Enumeration
Proofpoint found that attackers are abusing OAuth client ID spoofing in Microsoft Entra ID to enumerate accounts and validate credentials without creating successful sign-in events. Multiple large campaigns, including UNK_pyreq2323 and UNK_OutFlareAZ, used different tooling and infrastructure to hide activity and evade detections. #Proofpoint #MicrosoftEntraID #UNK_pyreq2323 #UNK_OutFlareAZ

Keypoints

  • Proofpoint observed OAuth client ID spoofing being used as a new technique in cloud-based authentication campaigns.
  • Microsoft Entra ID logging behavior can reveal whether a client ID is valid, registered, or spoofed, enabling attackers to infer account and password validity.
  • Attackers can enumerate users without generating a successful sign-in event, making the activity harder to detect through normal authentication telemetry.
  • Two major campaigns were identified: UNK_pyreq2323 and UNK_OutFlareAZ, each showing distinct infrastructure, tooling, and execution patterns.
  • UNK_pyreq2323 used Python requests from AWS infrastructure and spoofed more than 700,000 client IDs while targeting over 1 million users.
  • UNK_OutFlareAZ used a more mature approach with fully randomized UUIDv4 client IDs and targeted more than 2 million users across millions of spoofed application IDs.
  • Defenders should watch for sign-in log entries with blank application names or missing application IDs as possible indicators of spoofed client IDs.

MITRE Techniques

  • [T1580 ] Cloud Infrastructure Discovery – Attackers leveraged cloud authentication behavior in Microsoft Entra ID and used AWS/Cloudflare-hosted infrastructure to conduct large-scale campaigns (‘originated from AWS infrastructure’ / ‘originating primarily from Cloudflare infrastructure’).
  • [T1110.001 ] Password Guessing – The campaigns used authentication attempts to infer whether usernames and passwords were valid (‘infer the validity of usernames and passwords’ / ‘returned for a valid username with an invalid password’).
  • [T1110.003 ] Password Spraying – Attackers distributed authentication attempts across many accounts and tenants to avoid obvious detection (‘targeted over one million unique user accounts across nearly 4,000 tenants’ / ‘precompiled username wordlists’).
  • [T1589.003 ] Email Account – User Enumeration – The technique enabled enumeration of valid accounts without successful sign-ins (‘enumerate your entire organization’s accounts without generating a single successful sign-in event’ / ‘identify valid accounts and passwords’).
  • [T1133 ] External Remote Services – Attackers abused Microsoft Entra ID authentication endpoints as an external access path (‘issuing POST requests to Microsoft’s OAuth 2.0 token endpoint’).
  • [T1078 ] Valid Accounts – The activity was used to identify valid username-password pairs that could support later account compromise (‘facilitates enumeration of valid username-password pairs’).
  • [T1566 ] Phishing – The article does not describe phishing directly, but the credential-validation workflow can support account compromise often associated with follow-on social engineering (‘infer both password and account validity’).

Indicators of Compromise

  • [User agents ] observed in campaigns – python-requests/2.32.3, Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.12026; Pro
  • [Client IDs / spoofed application IDs ] spoofed Entra application identifiers – 00000002-0000-0ff1-ce00-000000000000, f9bae775-ef31-44c0-ad33-f50f62b3aba8
  • [Client ID patterns ] randomized last digits or full UUIDv4s – 00000002-0000-0ff1-ce00-000000100001, 89274bc8-5605-4639-b850-1d5fc2de4bad
  • [OAuth endpoint ] authentication requests were sent to – /common/oauth2/token, Microsoft’s OAuth 2.0 token endpoint
  • [AADSTS error codes ] responses used for enumeration – AADSTS50034, AADSTS50126, and AADSTS700016
  • [Cloud infrastructure ] campaign sources – AWS, Cloudflare, and other proxy infrastructure


Read more: https://www.proofpoint.com/us/blog/threat-insight/oauth-client-id-spoofing-why-fake-client-ids-are-gaining-traction-stealthy