Identity

OAuth client ID spoofing silently validates stolen Microsoft Entra ID credentials

Microsoft Logo on a Modern Glass Office Building

At least two threat actors have weaponized a novel evasion technique called OAuth client ID spoofing in multiple cloud campaigns.

According to a July 13 Proofpoint blog, this new technique lets users enumerate accounts and validate stolen credentials in Microsoft Entra ID environments without ever generating a successful sign-in that would normally alert defenders.

Shane Barney, CISO at Keeper Security, said by spoofing OAuth client IDs, attackers have found a way to confirm which credentials are valid inside an organization's cloud environment without leaving a trace in the logs that security teams use to catch them.

Barney said cloud identity platforms only log what they recognize, and attackers are exploiting that gap at scale. That blind spot isn't a misconfiguration, said Barney, it’s a fundamental problem with how most organizations are approaching cloud identity monitoring.

“Authentication logs are only as valuable as they are complete,” said Barney. “When activity goes unrecorded, security teams are operating on an incomplete picture of their environment, making decisions based on data that doesn't reflect what’s actually happening. No alert fires, no analyst investigates and the organization has no indication that its credentials have been quietly tested and confirmed. By the time those credentials surface in an active intrusion, the opportunity for early intervention has already passed.”

Jason Fruge, resident CISO at XM Cyber, added that the important insight for CISOs isn't the technical details: it's the shift in assumptions. Fruge said many security teams rely on the idea that testing stolen credentials leaves a noticeable trail before an attacker gains access. This method eliminates that early warning by letting attackers quietly confirm valid credentials, then log in as if nothing unusual happened.

Fruge said techniques like this keep emerging, forcing defenders to rethink the assumptions they depend on. Prevention remains critical: deploy phishing-resistant MFA wherever possible and enforce strong password practices to reduce the value of stolen credentials.

But Fruge said no control is foolproof, so adopt an assume-breach mindset.

“Plan for the possibility that a valid credential might get through and focus on limiting the damage,” said Fruge. “That requires closing off pathways for lateral movement like flat networks, unnecessary standing privileges, unsegmented admin access, and other related exposures."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds