ctipilot.ch
← Back to the live brief
NOTABLENATOB2research

Proofpoint: OAuth client ID spoofing validates stolen Entra ID credentials at scale without writing a successful sign-in log

discovered 2026-07-15 04:36 UTCrun 2026-07-15T0409Z-intel3 sourcesmulti-source

Proofpoint's Threat Research team documented a stealthy authentication-evasion technique — OAuth client ID spoofing — being independently weaponised by two distinct clusters against Microsoft Entra ID (Proofpoint, 2026-07-13). The mechanism abuses the legacy Resource Owner Password Credentials (ROPC) flow: an attacker POSTs a username and password to Entra ID's /common/oauth2/token endpoint while supplying an arbitrary, unregistered GUID as the client_id parameter instead of a real application ID. Entra ID's differential error responses then leak validity regardless of whether the client_id is legitimate — AADSTS50034 for a non-existent username, AADSTS50126 for a valid username with the wrong password, and, critically, AADSTS700016 ("application not found in directory") when the username and password are both correct, because Entra ID validates the credential before it fails on the unrecognised client. The result is a credential-validity oracle that most defenders misread: AADSTS700016 is ordinarily dismissed as a harmless misconfigured-app error, which is precisely the blind spot both clusters exploited (Help Net Security, 2026-07-13).

The evasion value is in the telemetry: none of these code paths writes a successful sign-in event, and because the client_id is unregistered, the sign-in log entry carries no application name at all — "detections that look for surges against a specific application name may miss this activity entirely, as the field is blank" (Proofpoint, 2026-07-13). Proofpoint attributes two campaigns of opportunistic mass enumeration: UNK_pyreq2323 (January–March 2026, AWS-hosted, 700,000+ distinct spoofed client IDs) and UNK_OutFlareAZ (December 2025–March 2026, Cloudflare-fronted, 3.7M distinct spoofed IDs), whose divergent tooling and client-ID-generation strategies point to parallel invention rather than shared code (The Hacker News, 2026-07-13).

When a spoofed client ID is used, no corresponding application name is recorded in the sign-in log. This means that detections that look for surges against a specific application name may miss this activity entirely, as the field is blank.

By fragmenting authentication attempts across many fictional applications, activity becomes harder to correlate and may evade per-application detections and rate limiting.

Proofpoint Threat Research 2026-07-13

Defender actions

  • Block the ROPC (Resource Owner Password Credentials) grant type in Entra ID via legacy-authentication blocking policy; it is the load-bearing fix, since Conditional Access policies scoped to specific applications are bypassed by an unregistered client_id.

ATT&CK mapping

3 techniques mapped from the cited reporting · MITRE ATT&CK v19.1

Reconnaissance TA0043
T1589.001Gather Victim Identity Information: Credentials

Adversaries may gather credentials that can be used during targeting. Account credentials gathered by adversaries may be those directly associated with the target victim organization or attempt to take advantage of the tendency for users to use the same passwords across personal and business accounts.

overlap matrix · ATT&CK page ↗

Initial Access TA0001
T1078.004Valid Accounts: Cloud Accounts

Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. Cloud Accounts can exist solely in the cloud; alternatively, they may be hybrid-joined between on-premises systems and the cloud through syncing or federation with other identity sources such as Windows Active Directory.

overlap matrix · ATT&CK page ↗

Persistence TA0003
T1078.004Valid Accounts: Cloud Accounts

Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. Cloud Accounts can exist solely in the cloud; alternatively, they may be hybrid-joined between on-premises systems and the cloud through syncing or federation with other identity sources such as Windows Active Directory.

overlap matrix · ATT&CK page ↗

Privilege Escalation TA0004
T1078.004Valid Accounts: Cloud Accounts

Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. Cloud Accounts can exist solely in the cloud; alternatively, they may be hybrid-joined between on-premises systems and the cloud through syncing or federation with other identity sources such as Windows Active Directory.

overlap matrix · ATT&CK page ↗

Stealth TA0005
T1078.004Valid Accounts: Cloud Accounts

Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. Cloud Accounts can exist solely in the cloud; alternatively, they may be hybrid-joined between on-premises systems and the cloud through syncing or federation with other identity sources such as Windows Active Directory.

overlap matrix · ATT&CK page ↗

Credential Access TA0006
T1110.004Brute Force: Credential Stuffing

Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap. Occasionally, large numbers of username and password pairs are dumped online when a website or service is compromised and the user account credentials accessed. The information may be useful to an adversary attempting to compromise accounts by taking advantage of the tendency for users to use the same passwords across personal and business accounts.

overlap matrix · ATT&CK page ↗

PROVENANCE

AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.