OAuth Client ID Spoofing Lets Attackers Validate Stolen Microsoft Entra Credentials
C The Hacker News ·
Admiralty grading (A–F · 1–6)
Source reliability
- A Completely reliable
- B Usually reliable
- C Fairly reliable
- D Not usually reliable
- E Unreliable
- F Cannot be judged
Information credibility
- 1 Confirmed
- 2 Probably true
- 3 Possibly true
- 4 Doubtful
- 5 Improbable
- 6 Cannot be judged
NATO Admiralty (AJP-2.1) grades confidence, independent of the risk score. Cross-source corroboration isn't tracked for non-CVE news, so single-source items are capped at a lower credibility number; a low number does not imply low quality.
Key insight
Attackers exploit OAuth Client ID spoofing to validate stolen credentials against Microsoft Entra ID without detection, as no successful sign-in event is logged.
Description
OAuth Client ID spoofing is an evasion technique in which attackers send syntactically valid but non-existent OAuth Client IDs via HTTP POST requests to Microsoft's OAuth 2.0 token endpoint. The technique uses the Resource Owner Password Credentials (ROPC) flow to attack Entra ID environments. It allows attackers to validate valid usernames and correct passwords at scale without a successful sign-in event being logged in telemetry. At least two distinct threat actors, including the group UNK_CustomCloak, are already employing this method in active campaigns against Microsoft Entra ID. The attack exploits a blind spot in telemetry: Entra ID returns different error responses depending on whether the supplied OAuth Client ID is valid.
Risk score
- cvss base
- 0.00
- kev bonus
- 0.00
- epss bonus
- 0.00
- poc bonus
- 15.00
- raw before weight
- 15.00
- industry weight
- 1.21
- freshness factor
- 1.00
- exploitability factor
- 1.00
- days old
- 0.00
- vendor mismatch penalty
- 0.00
Path: operational