There is a quiet new way for attackers to rifle through a company’s user accounts, and the sign-in logs most security teams lean on will barely register it. New research from Proofpoint details a technique it calls OAuth client ID spoofing, and the scale of the campaigns already using it suggests it is graduating from clever trick to standard playbook.
Here is the gist. When someone authenticates against Microsoft Entra ID, the identity service formerly known as Azure AD, the request carries an OAuth client ID that names the app making it. Attackers simply invent one. Because the fake ID does not map to a real registered application, Entra ID records the attempt with a blank application name, a gap that detection rules built to watch specific, named apps tend to sail right past.
Why it matters
The payoff is stealthy account and credential validation. The method lets attackers confirm which usernames are real and which stolen passwords still work without ever producing a successful sign-in event. And even when defenders do spot the odd activity, Proofpoint says they often cannot tell that working credentials were exposed in the process, which turns cleanup into a guessing game.
The numbers are what push this from proof of concept to genuine concern. Proofpoint identified two large, independent campaigns. The first sprayed more than 700,000 spoofed client IDs across over a million accounts in nearly 4,000 tenants. The second was bigger still, targeting more than 2 million users with 3.7 million spoofed IDs. Two unrelated actors arriving at the same method is, the researchers argue, the clearest signal that OAuth client ID spoofing is becoming mainstream tradecraft.
It is worth keeping perspective. This is an enumeration and validation technique, not a master key. Attackers still need stolen credentials to test, and the trick leans on a logging blind spot rather than a code-execution flaw. But that is exactly what makes it awkward to defend against: there is no single patch, and the real fix is better detection engineering. The advice is to stop treating a blank application name as noise and start treating repeated blank-app authentication attempts as something worth chasing down.
The timing lands hard in this region. The UAE Cybersecurity Council has reported that more than 75% of breaches in the country begin with phishing or fraudulent messages, the exact credential-first path a quiet enumeration technique like this one is built to exploit. Proofpoint has published the full technical write-up on its threat insight blog.
