Proofpoint Warns ‘OAuth Client ID Spoofing’ Lets Attackers Probe Accounts Nearly Invisibly

CYBERSECURITYPROOFPOINTOAuth ID SpoofingTECHPLUGGED.COM

Security teams love a good log. Proofpoint’s latest research is a reminder that attackers know exactly which logs you are watching, and how to slip past them. The company has published new findings on a technique it calls OAuth client ID spoofing, which lets attackers confirm valid accounts and test stolen passwords at scale while leaving almost no useful trace in the sign-in records defenders rely on.

How the trick works

The mechanics are deceptively simple. Attackers pass a fake OAuth client ID inside their authentication requests. That causes Microsoft Entra ID to log the attempt with a blank application name, a gap that standard detections, which are typically built around recognizable named applications, tend to miss entirely.

The payoff for the attacker is stealthy reconnaissance. The method lets them verify which accounts and passwords are valid without ever generating a successful sign-in event. Even when defenders do notice the activity, Proofpoint says they often cannot tell whether working credentials were actually exposed, which turns incident response into guesswork.

Why it matters

This is not a fringe experiment. Proofpoint identified two large, independent campaigns using the technique. The first spanned more than 700,000 spoofed client IDs and hit over a million accounts across nearly 4,000 tenants. The second was larger still, targeting more than 2 million users with some 3.7 million spoofed IDs. Crucially, the two campaigns appear to be the work of separate actors who arrived at the same method independently, a strong signal that OAuth client ID spoofing is moving from clever edge case to mainstream attacker tradecraft.

The regional stakes are real. Proofpoint notes that the UAE Cybersecurity Council has reported more than 75% of breaches in the country begin with phishing or fraudulent messages, exactly the kind of credential-driven attack this technique is designed to feed. Enumeration and password validation are the quiet first steps that make later account takeover possible.

The uncomfortable takeaway for defenders is that a detection strategy anchored to named applications has a blind spot, and attackers are actively exploiting it. Proofpoint’s write-up walks through what to watch for in the logs, but the broader lesson is familiar: identity has become the primary battleground, and the telemetry security teams trust is only as good as the assumptions baked into it.

This article covers a cybersecurity threat for informational and defensive purposes. Full technical detail is available in Proofpoint’s published research.