Cybersecurity researchers have uncovered a sophisticated technique where threat actors exploit spoofed OAuth client IDs to stealthily enumerate Microsoft Entra ID accounts. This method allows attackers to identify valid credentials while evading traditional detection mechanisms.
OAuth client IDs are unique identifiers assigned to registered applications. During authentication, an application submits its identifier through the client_id parameter, which Microsoft Entra ID logs in sign-in records, including the application name when the ID corresponds to a legitimate app.
However, attackers can fabricate client IDs during authentication requests. Entra ID provides different error messages based on the validity of the username, password, and application identifier. For instance, a non-existent username generates an AADSTS50034 error, while a valid username with an incorrect password returns AADSTS50126. If a valid username and password are used with an unregistered or spoofed application ID, Entra ID may return an AADSTS700016 error, indicating that the application identifier is not recognized.
This response is significant because it can reveal valid username-password pairs without triggering a successful sign-in event. Consequently, attackers can identify compromised credentials while security teams only see what appear to be failed authentication attempts.
Additionally, this technique undermines detection efforts based on application names. When a syntactically valid but unregistered client ID is supplied, Entra ID may log the application ID without an associated application name. If the ID is malformed, both the application ID and application name fields may be empty. Security tools that monitor for unusual authentication volumes against known applications could fail to correlate this activity effectively.
Two major campaigns utilizing this approach have been identified. The first, tracked as UNK_pyreq2323, occurred in January 2026 and targeted over 111 million accounts across nearly 4,000 Entra ID tenants. This campaign employed over 700,000 spoofed client IDs and reportedly caused account lockouts for approximately 28% of the targeted users.
The second campaign, tracked as UNK_OutFlareAZ, began in December 2025 and operated at a significantly larger scale. It targeted more than 222 million users and utilized 3.7 million spoofed client IDs. This activity primarily originated from Cloudflare infrastructure and employed a forged Microsoft Outlook user agent.
These findings underscore the evolving tactics of cyber adversaries who continuously adapt their methods to bypass security measures. Organizations must enhance their monitoring capabilities to detect such sophisticated enumeration techniques and implement robust authentication mechanisms to safeguard against unauthorized access.