
Hackers Spoof 3.7 Million OAuth Client IDs to Stealthily Enumerate 2 Million Entra ID Users
The Stealthy Threat: How Spoofed OAuth Client IDs Enumerate Entra ID Users
The landscape of enterprise security faces a persistent and evolving adversary. A recent alarming discovery by Proofpoint highlights a sophisticated tactic employed by threat actors: the spoofing of 3.7 million OAuth client IDs to discreetly enumerate 2 million Microsoft Entra ID (formerly Azure Active Directory) users. This strategy allows attackers to identify valid accounts and potentially compromise credentials, all while sidestepping conventional detection mechanisms. Understanding this attack vector is crucial for any organization leveraging Entra ID.
Understanding OAuth Client IDs and Their Role in Authentication
To grasp the gravity of this attack, it’s essential to understand OAuth client IDs. An OAuth client ID is a globally unique identifier assigned to an application registered with an identity provider, such as Microsoft Entra ID. When an application attempts to authenticate a user, it presents this unique identifier via the client_id parameter. This parameter informs the identity provider which application is requesting access, allowing for proper authorization flows and token issuance.
- Globally Unique: Each registered application receives a distinct client ID.
- Authentication Identifier: Used by applications to identify themselves to the identity provider.
- Security Context: Plays a vital role in the initial stages of the OAuth 2.0 authorization framework, linking a request to a specific, legitimate application.
The Attack Vector: Spoofing for Stealthy Enumeration
The core of this attack lies in the sophisticated spoofing of these OAuth client IDs. Threat actors leveraged a massive number of falsified or hijacked client IDs to initiate authentication requests against Microsoft Entra ID. While these requests might not fully complete an authentication flow, they are sufficient to prompt Entra ID to respond in a way that reveals whether a submitted username corresponds to a valid existing account within the target organization.
This technique is particularly insidious because it mimics legitimate application behavior, making it difficult for traditional security measures to discern malicious activity from normal operational traffic. Instead of brute-forcing passwords directly, which would trigger immediate alerts, attackers are performing a reconnaissance phase to build lists of valid user accounts. This pre-attack enumeration significantly increases the chances of success for subsequent spear-phishing or credential stuffing campaigns.
Why this Attack Evades Traditional Detection
The primary reason this method bypasses common detection systems is its nature as an enumeration technique rather than a direct attack. Security solutions often focus on detecting:
- Failed Login Attempts: Numerous incorrect password entries from a single source.
- Unusual Geolocation Logins: Access attempts from unexpected geographical locations.
- Irregular Login Patterns: Logins outside of typical working hours or from atypical devices.
However, an enumeration attack using spoofed client IDs doesn’t necessarily involve failed logins or immediately unusual patterns. It’s about probing for account validity. The sheer volume of unique, albeit spoofed, client IDs used across millions of requests further obfuscates the malicious intent, distributing the “load” and making it harder to link individual requests to a coordinated attack.
Remediation Actions and Proactive Defense
Organizations must take proactive steps to mitigate the risks posed by this type of sophisticated enumeration. Securing your Microsoft Entra ID environment requires a multi-layered approach.
- Implement Strong Authentication Policies: Mandate Multi-Factor Authentication (MFA) for all users, especially for administrative accounts. Even if an attacker identifies a valid username, MFA acts as a critical barrier to account takeover.
- Monitor Entra ID Sign-in Logs: Regularly analyze sign-in logs for unusual patterns, even those that don’t immediately indicate failed logins. Look for an abnormally high number of successful or partially successful authentication attempts from new or infrequently used OAuth client IDs.
- Leverage Conditional Access Policies: Configure Conditional Access policies to restrict access based on device compliance, location, application, and user risk. This can prevent access from untrusted sources or applications.
- Review and Audit Application Consents: Periodically audit applications that have consented to access resources within your Entra ID tenant. Remove any unused or suspicious applications.
- Educate Users on Phishing: Strengthen your security awareness training programs to educate users about sophisticated phishing attempts that might exploit enumerated user lists.
- Utilize Entra ID Identity Protection: This feature can identify suspicious user activities, risky sign-ins, and vulnerabilities, providing automated remediation capabilities.
Tools for Detection and Mitigation
While this attack is stealthy, several tools and built-in features can aid in detection and mitigation efforts.
| Tool Name | Purpose | Link |
|---|---|---|
| Microsoft Entra ID Protection | Detects identity-based risks, risky sign-ins, and user vulnerabilities. | Learn More |
| Microsoft Defender for Cloud Apps | Discovers cloud apps, assesses risk, enables policies, and detects anomalies. | Learn More |
| SIEM Solutions (e.g., Microsoft Sentinel) | Collects, analyzes, and correlates security logs from various sources, including Entra ID, for anomaly detection. | Learn More |
| Proofpoint Emerging Threats (ET) Intelligence | Provides actionable threat intelligence to identify and block emerging threats. | Learn More |
Key Takeaways for Strengthening Your Security Posture
The discovery of attackers spoofing millions of OAuth client IDs to enumerate Entra ID users is a stark reminder of the evolving threat landscape. Organizations cannot solely rely on traditional perimeter defenses. Instead, a robust security posture demands continuous monitoring, strong identity protection, and the vigilant application of best practices.
By understanding how these enumeration attacks function, implementing comprehensive MFA, leveraging Conditional Access, and regularly auditing application consents, you can significantly reduce the attack surface and protect your Microsoft Entra ID users from sophisticated credential-based attacks. Stay proactive, stay secure.


