Cyber attackers are increasingly deploying a stealthy technique known as OAuth client ID spoofing to gain unauthorized access to cloud environments, cybersecurity experts at Proofpoint have warned. This method leverages Microsoft Entra ID, formerly Azure AD, allowing attackers to access accounts without a registered OAuth client ID, making detection difficult for defenders, based on information published by Infosecurity Magazine.The technique involves attackers issuing POST requests to Microsoft's OAuth 2.0 token endpoint using the Resource Owner Password Credentials (ROPC) flow. This allows them to submit usernames and passwords directly, generating Azure Active Directory Security Token Service (AADSTS) error codes. Attackers can exploit these errors to infer the validity of usernames and passwords and bypass security measures like multi-factor authentication and conditional access. By using spoofed IDs and blank fields in Entra ID logs, malicious activity becomes harder to detect.Proofpoint has observed multiple large-scale campaigns using this method, targeting millions of user accounts across numerous Microsoft Entra tenants. Attackers often attempt to spoof common usernames like "jsmith" or "awilliams" to increase their chances of success. Defenders are advised to treat sign-in log entries with blank or missing application IDs as potential indicators of client ID spoofing and be aware that AADSTS700016 error codes might signal compromised credentials.Source: Infosecurity Magazine
Cloud Security
Cybercriminals exploit OAuth client ID spoofing to bypass cloud security

An In-Depth Guide to Cloud Security
Get essential knowledge and practical strategies to fortify your cloud security.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



