Recent cybersecurity investigations have uncovered that at least two distinct threat actors are leveraging a technique known as OAuth client ID spoofing to validate stolen credentials within Microsoft Entra ID environments. This method allows attackers to confirm the validity of user accounts and passwords without triggering successful sign-in events, thereby evading detection mechanisms.
In this attack vector, adversaries manipulate the OAuth client ID—a globally unique identifier assigned to applications during authentication requests. By submitting syntactically correct but unregistered client IDs, attackers can infer the existence of user accounts and the accuracy of passwords based on the error responses received from Microsoft’s OAuth 2.0 token endpoint. This process does not generate standard sign-in logs, creating a blind spot in cloud telemetry and making it challenging for defenders to detect unauthorized access attempts.
Proofpoint, a cybersecurity firm, has identified two significant campaigns employing this technique since late December 2025. The first campaign, dubbed UNK_pyreq2323, was active from January to March 2026, while the second, UNK_customCloak, has been ongoing since April 2026. These campaigns demonstrate the increasing adoption of OAuth client ID spoofing among threat actors, highlighting the need for enhanced monitoring and detection strategies within cloud environments.
To mitigate the risks associated with this evasion technique, organizations should implement comprehensive monitoring of authentication logs, paying close attention to anomalies such as missing application names in sign-in events. Additionally, enforcing multi-factor authentication (MFA) and regularly reviewing OAuth application permissions can help reduce the attack surface and prevent unauthorized access.
The emergence of OAuth client ID spoofing underscores the evolving tactics of cyber adversaries in exploiting cloud authentication mechanisms. As attackers continue to refine their methods to bypass traditional security measures, it is imperative for organizations to stay vigilant and adapt their defense strategies accordingly.