🟠 High  |  Source: The Hacker News


Attackers are abusing a technique called OAuth client ID spoofing to silently validate stolen credentials and enumerate user accounts in Microsoft Entra ID, without triggering the sign-in events that defenders typically rely on for alerting. At least two separate threat actors are already exploiting this in active cloud campaigns. The lack of a successful sign-in log entry means most conventional detection tooling will miss the activity entirely.

Security Architect’s Take: Review your Entra ID monitoring strategy to ensure you are not solely relying on successful or failed sign-in logs — look for anomalous OAuth token requests and non-interactive sign-in telemetry. Consider enabling Microsoft Entra ID Protection risk policies and auditing conditional access coverage for non-standard OAuth client IDs, and investigate whether your SIEM has visibility into the underlying authentication protocol events beyond standard sign-in logs.

Original advisory: OAuth Client ID Spoofing Lets Attackers Validate Stolen Microsoft Entra Credentials