“The emergence of multiple campaigns with unique tools and infrastructure suggests this technique is gaining traction among threat actors targeting cloud environments,” Proofpoint warned in a blog post published on July 13.
How attackers are spoofing OAuth client IDs in Microsoft Entra
Proofpoint's analysis shows attackers are abusing Microsoft Entra ID (formerly Azure AD) by issuing POST requests to Microsoft's OAuth 2.0 token endpoint and using the Resource Owner Password Credentials (ROPC) flow to submit usernames and passwords directly. Those requests trigger Azure Active Directory Security Token Service (AADSTS) error codes. By interpreting those error responses, unauthenticated requestors can infer whether a username is valid, whether a password is correct, and whether additional controls such as multi‑factor authentication (MFA) or conditional access (CA) are being enforced.
Why the technique is stealthy in Entra sign‑in logs
Proofpoint highlights a practical visibility gap: attackers are submitting requests that lead to Entra sign‑in log entries with blank application IDs or no corresponding application name. Those blank fields make malicious authentication attempts harder for defenders to spot. Because Entra sign‑in logs are a common tool for detecting authentication abuse (for example, user enumeration through brute force or password spraying), the combination of spoofed client IDs and empty log fields allows attackers to evade conventional detection workflows.
Scale, targeting patterns, and account guessing
The research states Proofpoint has tracked multiple large‑scale campaigns deploying this technique against millions of user accounts across thousands of Microsoft Entra tenants. The campaigns use predictable username patterns to increase success rates: attackers often try initials paired with common surnames—examples Proofpoint lists include jsmith, ajohnson and awilliams—leveraging both name commonality and the low likelihood that organizations will change existing username conventions.
Proofpoint's concrete indicators and defensive suggestions
Proofpoint recommends defenders treat certain log features as potential indicators of client ID spoofing. Specifically, sign‑in log entries with blank application IDs or entries without a corresponding application name should be investigated as possible signs of spoofing. Separately, Proofpoint warns that an AADSTS700016 error code—normally associated with failed authentication—may instead signal compromised credentials and should not be assumed to be a routine failed login attempt.
How security teams, affected enterprises, and end users should respond
- Technologists and security teams: Review Entra sign‑in logs for entries with blank application IDs or missing application names and treat those as higher‑priority investigations; correlate AADSTS700016 events with other telemetry rather than dismissing them as simple login failures.
- Affected enterprises and procurement leaders: Expect increased use of client ID spoofing in cloud‑targeted campaigns and prioritize log hygiene and alerting rules that surface blank application ID entries across Microsoft Entra tenants.
- End users: Be aware that credential‑based attacks can be targeted at predictable usernames; organizations relying on common, simple username conventions may be easier to enumerate and should consider that risk when assessing account policies.
Proofpoint's findings map a straightforward exploitation chain—username guessing via ROPC POSTs, inference from AADSTS error messages, and log entries that obscure the originating client—that together enable stealthy access to cloud services. The firm’s advisory is both a warning about a rising tradecraft and a narrow set of detection priorities: blank application IDs, missing application names, and reinterpreting AADSTS700016 events. Whether defenders adjust logging and alerting to pick up these specific signals will determine how widely the technique succeeds.
Read the original Proofpoint‑summarized reporting here: https://www.infosecurity-magazine.com/news/novel-spoofing-technique-targets/




