ctipilot.ch

UNK_pyreq2323

actor · actor:unk-pyreq2323

Proofpoint-tracked cluster (disclosed 2026-07-13) that ran OAuth client ID spoofing against Microsoft Entra ID from AWS infrastructure, Jan–Mar 2026: 700,000+ distinct spoofed client IDs used to enumerate and validate credentials without generating a successful sign-in log entry, via the ROPC token endpoint and differential AADSTS error responses.

Coverage timeline
1
first 2026-07-15 → last 2026-07-15
Peak priority
notable
1 notable
Sources cited
3
3 hosts
Sections touched
1
research
Co-occurring entities
1
see Related entities below
ATT&CK techniques
3
pinned v19.1 · see below

Hunting pivots

Affected products
Microsoft Entra ID

ATT&CK techniques

3 techniques observed across 1 entry — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)

Reconnaissance TA0043

T1589.001Gather Victim Identity Information: Credentials×1

Adversaries may gather credentials that can be used during targeting. Account credentials gathered by adversaries may be those directly associated with the target victim organization or attempt to take advantage of the tendency for users to use the same passwords across personal and business accounts.

Evidence: 2026-07-15/proofpoint-oauth-client-id-spoofing-entra-id-evasion · ATT&CK page ↗

Initial Access TA0001

T1078.004Valid Accounts: Cloud Accounts×1

Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. Cloud Accounts can exist solely in the cloud; alternatively, they may be hybrid-joined between on-premises systems and the cloud through syncing or federation with other identity sources such as Windows Active Directory.

Evidence: 2026-07-15/proofpoint-oauth-client-id-spoofing-entra-id-evasion · ATT&CK page ↗

Persistence TA0003

T1078.004Valid Accounts: Cloud Accounts×1

Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. Cloud Accounts can exist solely in the cloud; alternatively, they may be hybrid-joined between on-premises systems and the cloud through syncing or federation with other identity sources such as Windows Active Directory.

Evidence: 2026-07-15/proofpoint-oauth-client-id-spoofing-entra-id-evasion · ATT&CK page ↗

Privilege Escalation TA0004

T1078.004Valid Accounts: Cloud Accounts×1

Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. Cloud Accounts can exist solely in the cloud; alternatively, they may be hybrid-joined between on-premises systems and the cloud through syncing or federation with other identity sources such as Windows Active Directory.

Evidence: 2026-07-15/proofpoint-oauth-client-id-spoofing-entra-id-evasion · ATT&CK page ↗

Stealth TA0005

T1078.004Valid Accounts: Cloud Accounts×1

Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. Cloud Accounts can exist solely in the cloud; alternatively, they may be hybrid-joined between on-premises systems and the cloud through syncing or federation with other identity sources such as Windows Active Directory.

Evidence: 2026-07-15/proofpoint-oauth-client-id-spoofing-entra-id-evasion · ATT&CK page ↗

Credential Access TA0006

T1110.004Brute Force: Credential Stuffing×1

Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap. Occasionally, large numbers of username and password pairs are dumped online when a website or service is compromised and the user account credentials accessed. The information may be useful to an adversary attempting to compromise accounts by taking advantage of the tendency for users to use the same passwords across personal and business accounts.

Evidence: 2026-07-15/proofpoint-oauth-client-id-spoofing-entra-id-evasion · ATT&CK page ↗

Story timeline

  1. 2026-07-15Proofpoint: OAuth client ID spoofing validates stolen Entra ID credentials at scale without writing a successful sign-in log
    researchA fake client_id on Entra ID's ROPC token endpoint lets attackers enumerate and validate credentials while leaving a blank application name in the sign-in log

Where this entity is cited

  • research1

Source distribution

  • helpnetsecurity.com1 (33%)
  • proofpoint.com1 (33%)
  • thehackernews.com1 (33%)

Co-occurring entities

Derived — referenced by the same focused operational entries (weekly summaries and report roundups don't count); ×N counts the shared entries.

Entries about UNK_pyreq2323 (1)

2026-07-15 · view entry permalink →

NOTABLENATOB2

Proofpoint: OAuth client ID spoofing validates stolen Entra ID credentials at scale without writing a successful sign-in log

Proofpoint's Threat Research team documented a stealthy authentication-evasion technique — OAuth client ID spoofing — being independently weaponised by two distinct clusters against Microsoft Entra ID (Proofpoint, 2026-07-13). The mechanism abuses the legacy Resource Owner Password Credentials (ROPC) flow: an attacker POSTs a username and password to Entra ID's /common/oauth2/token endpoint while supplying an arbitrary, unregistered GUID as the client_id parameter instead of a real application ID. Entra ID's differential error responses then leak validity regardless of whether the client_id is legitimate — AADSTS50034 for a non-existent username, AADSTS50126 for a valid username with the wrong password, and, critically, AADSTS700016 ("application not found in directory") when the username and password are both correct, because Entra ID validates the credential before it fails on the unrecognised client. The result is a credential-validity oracle that most defenders misread: AADSTS700016 is ordinarily dismissed as a harmless misconfigured-app error, which is precisely the blind spot both clusters exploited (Help Net Security, 2026-07-13).

The evasion value is in the telemetry: none of these code paths writes a successful sign-in event, and because the client_id is unregistered, the sign-in log entry carries no application name at all — "detections that look for surges against a specific application name may miss this activity entirely, as the field is blank" (Proofpoint, 2026-07-13). Proofpoint attributes two campaigns of opportunistic mass enumeration: UNK_pyreq2323 (January–March 2026, AWS-hosted, 700,000+ distinct spoofed client IDs) and UNK_OutFlareAZ (December 2025–March 2026, Cloudflare-fronted, 3.7M distinct spoofed IDs), whose divergent tooling and client-ID-generation strategies point to parallel invention rather than shared code (The Hacker News, 2026-07-13).

When a spoofed client ID is used, no corresponding application name is recorded in the sign-in log. This means that detections that look for surges against a specific application name may miss this activity entirely, as the field is blank.

By fragmenting authentication attempts across many fictional applications, activity becomes harder to correlate and may evade per-application detections and rate limiting.

Proofpoint Threat Research 2026-07-13
research15 Jul 04:36Zmulti-sourceOpen finding ↗