{"id":289387,"date":"2026-07-14T07:21:00","date_gmt":"2026-07-14T11:21:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/07\/14\/oauth-client-id-spoofing-lets-attackers-validate-stolen-microsoft-entra-credentials\/"},"modified":"2026-07-14T10:45:11","modified_gmt":"2026-07-14T14:45:11","slug":"oauth-client-id-spoofing-lets-attackers-validate-stolen-microsoft-entra-credentials","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/07\/14\/oauth-client-id-spoofing-lets-attackers-validate-stolen-microsoft-entra-credentials\/","title":{"rendered":"OAuth Client ID Spoofing Lets Attackers Validate Stolen Microsoft Entra Credentials"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/07\/oauth-client-id-spoofing-lets-attackers.html\">OAuth Client ID Spoofing Lets Attackers Validate Stolen Microsoft Entra Credentials<\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/07\/oauth-client-id-spoofing-lets-attackers.html\">https:\/\/thehackernews.com\/2026\/07\/oauth-client-id-spoofing-lets-attackers.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-07-14 07:21:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p><span class=\"p-author\">\ue804<span class=\"author\">Ravie Lakshmanan<\/span>\ue802<span class=\"author\">Jul 14, 2026<\/span><\/span><span class=\"p-tags\">Cloud Security \/ Identity Security<\/span><\/p>\n<p>At least two distinct threat actors are weaponizing a novel evasion technique called <strong>OAuth client ID spoofing<\/strong> in cloud campaigns, while slipping past telemetry.<\/p>\n<p>The activity allows users to enumerate user accounts and validate stolen credentials in Microsoft Entra ID environments, without ever generating a successful sign-in event that would otherwise alert defenders. And bad actors have begun to exploit this gap to obtain unauthorized access to an organization&#8217;s cloud services.<\/p>\n<p>&#8220;A blind spot in cloud sign-in telemetry: Entra ID returns different error responses depending on whether a supplied OAuth client ID is valid,&#8221; Proofpoint said in a statement. &#8220;Attackers exploit this to infer valid usernames and correct passwords at scale, effectively checking stolen credential lists without logging a successful login.&#8221;<\/p>\n<p>In other words, the attacks leverage the OAuth client ID, a globally unique identifier (GUID) assigned to applications when requesting access to user data, and is passed as &#8220;client_id&#8221; in authentication requests. By providing spoofed client IDs, it enables account enumeration without a registered OAuth application and permits attackers to infer both password and account validity without generating a successful sign-in event.<\/p>\n<p>&#8220;The Entra sign\u2011in logs are a primary telemetry source for identifying malicious authentication activity, including user enumeration, password spraying, and initial access attempts,&#8221; Proofpoint researcher Rachel Rabin said.<\/p>\n<p>Threat clusters like UNK_CustomCloak have been observed spoofing User-Agent strings to orchestrate brute-force campaigns targeting Microsoft Entra ID environments by exploiting a legacy, discontinued first-party application called Windows Live Custom Domains to bypass standard sign-in restrictions and probe user passwords across over 4,000 tenants.<\/p>\n<p>But the latest efforts mark an evolution of this tradecraft by spoofing the OAuth client&#8230;<\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/07\/oauth-client-id-spoofing-lets-attackers.html\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>OAuth Client ID Spoofing Lets Attackers Validate Stolen Microsoft Entra Credentials https:\/\/thehackernews.com\/2026\/07\/oauth-client-id-spoofing-lets-attackers.html Publish Date: 2026-07-14&#8230;<\/p>\n","protected":false},"author":1,"featured_media":289388,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjmB1bLC9cna7xlnvFdK0hUnsi8jeo6E7jMh20nj4XTvsF9ogpjbnlPCxx9QYQ1O2aS7JiSDQi4swIRNG6-Xjg2TGR4bn4Zn-KBkjsLTYcKUrXOD-rlGu4XYsvRx06eRqrT4duW0xwklKeYjZvRV1VSarJBKldBzN4DNhkWudVCGRdKPi9uVGrqEwL66mz5\/s1600\/OAuth-ClientID.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[31],"class_list":["post-289387","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-exploit"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/289387"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=289387"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/289387\/revisions"}],"predecessor-version":[{"id":289389,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/289387\/revisions\/289389"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/289388"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=289387"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=289387"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=289387"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}