Fake OAuth client IDs are helping attackers slip past sign

Cybersecurity researchers have identified a new technique where attackers spoof OAuth client IDs to bypass sign-in logs in Microsoft Entra ID. This method allows malicious actors to perform account enumeration and password spraying while remaining undetected by standard telemetry.
Fake OAuth client IDs are helping attackers slip past sign-in logs Attackers running account enumeration against Microsoft cloud tenants have added a step that keeps their probing out of the usual telemetry. They spoof the OAuth client ID, the globally unique identifier assigned to an application and passed as client_id in an authentication request. Microsoft Entra ID records that value as the application ID in its sign-in logs, and the way it handles unfamiliar identifiers opens a gap that operators have started to work through.
Get the full story
Sign up for Headlinne to unlock AI insights, political bias analysis, and your personalized news feed.
Create free accountAlready have an account? Sign in