Article may be outdated

This article is 5 days old. Some details may have changed since publication.

Help Net Security·3 min read·hard

Fake OAuth client IDs are helping attackers slip past sign

M
Mirko Zorz
Fake OAuth client IDs are helping attackers slip past sign
AI Summary

Cybersecurity researchers have identified a new technique where attackers spoof OAuth client IDs to bypass sign-in logs in Microsoft Entra ID. This method allows malicious actors to perform account enumeration and password spraying while remaining undetected by standard telemetry.

Fake OAuth client IDs are helping attackers slip past sign-in logs Attackers running account enumeration against Microsoft cloud tenants have added a step that keeps their probing out of the usual telemetry. They spoof the OAuth client ID, the globally unique identifier assigned to an application and passed as client_id in an authentication request. Microsoft Entra ID records that value as the application ID in its sign-in logs, and the way it handles unfamiliar identifiers opens a gap that operators have started to work through.

Continue reading on Headlinne

Create a free account to read the full article.

Read full article →
technologybusiness

Get the full story

Sign up for Headlinne to unlock AI insights, political bias analysis, and your personalized news feed.

Create free account

Already have an account? Sign in