Hackers spoofed 3.7 million OAuth client ids to enumerate entra ID users

Attackers used 3.7 million spoofed OAuth client IDs to enumerate Entra ID user accounts and map application ecosystems.

CSBadmin
1 Min Read

Threat actors are exploiting spoofed OAuth client IDs to enumerate Microsoft Entra ID accounts and identify potentially valid credentials while evading traditional detection mechanisms.

The attack technique involves crafting 3.7 million OAuth client ID variations and submitting them to Microsoft’s authentication endpoints. By analyzing error responses, attackers can determine which client IDs are valid and map out Entra ID tenant structures without triggering standard security alerts.

OAuth client ID enumeration allows attackers to build a detailed map of an organization’s application ecosystem. This reconnaissance phase is critical for planning targeted phishing campaigns and credential theft operations against specific applications and users.

The spoofing technique bypasses traditional rate-limiting and anomaly detection because the requests appear as legitimate OAuth flow attempts. Security teams may not notice enumeration activity amid normal authentication traffic.

Microsoft recommends implementing conditional access policies requiring device compliance and phishing-resistant authentication. Enabling Entra ID Identity Protection and monitoring for unusual authentication patterns can help detect enumeration campaigns before they lead to account compromise.

CSBadmin

The latest in cybersecurity news and updates.

Share This Article
Follow:
The latest in cybersecurity news and updates.