A new evasion technique is being exploited by at least two threat actors to bypass security in Microsoft Entra ID environments. This method involves OAuth client ID spoofing, enabling attackers to validate stolen credentials and enumerate user accounts without triggering a sign-in event that could alert security teams. By manipulating the OAuth client ID, which serves as a globally unique identifier for applications, attackers can infer the validity of usernames and passwords without generating a successful sign-in log entry.
Proofpoint researchers have identified that attackers exploit a blind spot in cloud sign-in telemetry. If an OAuth client ID is valid, different error responses are returned, allowing attackers to confirm valid credentials without logging in. This tactic has been observed in campaigns that spoof User-Agent strings and target Microsoft Entra ID environments, exploiting legacy applications like Windows Live Custom Domains to evade standard sign-in restrictions.
The attackers use HTTP POST requests to Microsoft's OAuth 2.0 token endpoint, employing the Resource Owner Password Credentials flow. This involves using a syntactically correct, yet non-corresponding client ID, which only records the application ID in logs without an application name. As a result, this activity can go unnoticed, making it difficult for security teams to detect.
Proofpoint has identified two major campaigns adopting this technique since December 2025. The campaigns differ in their methods, with one using valid UUIDs and the other modifying known application IDs. By spreading authentication attempts across various fictional applications, attackers can evade detection that focuses on specific applications. This presents a significant challenge for organizations trying to employ Conditional Access policies as spoofed client IDs do not trigger these measures.


