Attackers are increasingly abusing spoofed OAuth application identifiers to enumerate Microsoft Entra ID accounts, test credentials, and fragment authentication activity across hundreds of thousands or millions of fictional applications.
The technique exploits how Entra ID processes the client_id parameter in OAuth authentication requests.
Every registered OAuth application is assigned a globally unique application identifier, and Entra sign-in logs typically record both the application ID and its name.
However, when attackers provide a syntactically valid but unregistered client ID, logs can contain an application ID while leaving the application name blank.
That gap enables attackers to avoid detections designed to identify password spraying or account enumeration against commonly abused Microsoft applications, including Azure AD PowerShell and Exchange Online.
Instead of concentrating activity on a single recognizable client, operators can distribute requests across a large population of invented application IDs.
Proofpoint simulated the behavior through the Resource Owner Password Credentials (ROPC) flow, sending direct username and password submissions to Microsoft’s /common/oauth2/token endpoint.
The resulting Microsoft Entra error codes reveal valuable account-state information to an unauthenticated requester.
For example, AADSTS50034 indicates an invalid username, while AADSTS50126 indicates that a valid account was supplied with an invalid password.
More significantly, when attackers submit a valid username and correct password alongside an unregistered application ID, Entra may return AADSTS700016, showing that the application identifier is unknown.
This response effectively confirms a valid username-password pair without producing a successful sign-in event.
The activity is especially problematic because Entra logs only attempts involving valid usernames. An organization investigating a failed authentication burst may therefore see evidence of enumeration but may not realize an attacker has already identified working credentials.
Proofpoint has observed OAuth client ID spoofing emerging as a novel technique, increasingly leveraged in cloud campaigns.
Attackers Distribute Password Attacks
Proofpoint tracked one campaign, dubbed UNK_pyreq2323, from January through March 202620262026. The operation used the python-requests/2.32.3 user agent and AWS-hosted infrastructure to target more than one million accounts across nearly 4,0004{,}0004,000 Entra tenants.

The attackers distributed requests across more than 700,000700{,}000700,000 spoofed client IDs, modifying the trailing digits of an Exchange Online-related identifier: 00000002-0000-0ff1-ce00-000000XXXXXX.
Most fraudulent IDs were used against only one to three accounts and no more than 121212, reducing the usefulness of correlation rules based on repeated application activity.
The campaign caused account lockouts for approximately 28%28%28% of targeted users, demonstrating that even stealth-oriented enumeration can produce meaningful operational disruption.
A separate operation, tracked as UNK_OutFlareAZ, began in December 202520252025 and operated at a larger scale. It targeted over two million users while cycling through roughly 3.73.73.7 million spoofed application IDs.
The campaign primarily originated from Cloudflare infrastructure and used a forged Microsoft Outlook user agent commonly seen in password-enumeration tooling.

Unlike UNK_pyreq2323, the second campaign generated a fresh random UUIDv4 client ID for every authentication attempt. That one-time-use approach further limits an analyst’s ability to link requests by application identifier.
Its username targeting also appeared alphabetical and reused generic names such as dsmith, msmith, and jbrown across tenants, indicating use of precompiled wordlists.
The differing user agents, infrastructure, client-ID generation, and execution patterns suggest separate actors or tools have independently adopted OAuth client ID spoofing.
Proofpoint assesses that the tradecraft is becoming more common in cloud-focused credential attacks.
Defenders should hunt Entra sign-in records where the application name is absent, particularly when paired with high-volume failed authentications, distributed source IPs, or unusual client IDs.
Stop Accepting SLAs Written for 2019 SOCs – Here’s the 2026 AI SLA Vendor Checklist – Download Free AI SOC SLA Guide

