Proofpoint found that attackers are abusing OAuth client ID spoofing in Microsoft Entra ID to enumerate accounts and validate credentials without creating successful sign-in events. Multiple large campaigns, including UNK_pyreq2323 and UNK_OutFlareAZ, used different tooling and infrastructure to hide activity and evade detections. #Proofpoint #MicrosoftEntraID #UNK_pyreq2323 #UNK_OutFlareAZ
Keypoints
- Proofpoint observed OAuth client ID spoofing being used as a new technique in cloud-based authentication campaigns.
- Microsoft Entra ID logging behavior can reveal whether a client ID is valid, registered, or spoofed, enabling attackers to infer account and password validity.
- Attackers can enumerate users without generating a successful sign-in event, making the activity harder to detect through normal authentication telemetry.
- Two major campaigns were identified: UNK_pyreq2323 and UNK_OutFlareAZ, each showing distinct infrastructure, tooling, and execution patterns.
- UNK_pyreq2323 used Python requests from AWS infrastructure and spoofed more than 700,000 client IDs while targeting over 1 million users.
- UNK_OutFlareAZ used a more mature approach with fully randomized UUIDv4 client IDs and targeted more than 2 million users across millions of spoofed application IDs.
- Defenders should watch for sign-in log entries with blank application names or missing application IDs as possible indicators of spoofed client IDs.
MITRE Techniques
- [T1580 ] Cloud Infrastructure Discovery â Attackers leveraged cloud authentication behavior in Microsoft Entra ID and used AWS/Cloudflare-hosted infrastructure to conduct large-scale campaigns (âoriginated from AWS infrastructureâ / âoriginating primarily from Cloudflare infrastructureâ).
- [T1110.001 ] Password Guessing â The campaigns used authentication attempts to infer whether usernames and passwords were valid (âinfer the validity of usernames and passwordsâ / âreturned for a valid username with an invalid passwordâ).
- [T1110.003 ] Password Spraying â Attackers distributed authentication attempts across many accounts and tenants to avoid obvious detection (âtargeted over one million unique user accounts across nearly 4,000 tenantsâ / âprecompiled username wordlistsâ).
- [T1589.003 ] Email Account â User Enumeration â The technique enabled enumeration of valid accounts without successful sign-ins (âenumerate your entire organizationâs accounts without generating a single successful sign-in eventâ / âidentify valid accounts and passwordsâ).
- [T1133 ] External Remote Services â Attackers abused Microsoft Entra ID authentication endpoints as an external access path (âissuing POST requests to Microsoftâs OAuth 2.0 token endpointâ).
- [T1078 ] Valid Accounts â The activity was used to identify valid username-password pairs that could support later account compromise (âfacilitates enumeration of valid username-password pairsâ).
- [T1566 ] Phishing â The article does not describe phishing directly, but the credential-validation workflow can support account compromise often associated with follow-on social engineering (âinfer both password and account validityâ).
Indicators of Compromise
- [User agents ] observed in campaigns â python-requests/2.32.3, Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.12026; Pro
- [Client IDs / spoofed application IDs ] spoofed Entra application identifiers â 00000002-0000-0ff1-ce00-000000000000, f9bae775-ef31-44c0-ad33-f50f62b3aba8
- [Client ID patterns ] randomized last digits or full UUIDv4s â 00000002-0000-0ff1-ce00-000000100001, 89274bc8-5605-4639-b850-1d5fc2de4bad
- [OAuth endpoint ] authentication requests were sent to â /common/oauth2/token, Microsoftâs OAuth 2.0 token endpoint
- [AADSTS error codes ] responses used for enumeration â AADSTS50034, AADSTS50126, and AADSTS700016
- [Cloud infrastructure ] campaign sources â AWS, Cloudflare, and other proxy infrastructure