Proofpoint has uncovered two large-scale cloud campaigns that used fabricated OAuth client IDs to quietly enumerate Microsoft Entra ID accounts, exposing a growing authentication blind spot that could help attackers determine whether an account exists and whether a password is correct.
The cybersecurity company said the technique exploits differences in Entra ID responses when authentication requests contain valid or invalid application identifiers. By supplying fake client IDs, attackers can determine whether accounts exist, infer credential validity and spread activity across thousands or millions of apparent applications, making malicious traffic harder to connect.
Fake applications cloud the audit trail
OAuth client IDs normally identify registered applications and are recorded in Entra sign-in logs. When attackers submit spoofed identifiers, however, the corresponding application name may remain blank.
That gap can weaken detections built around spikes against known applications, while also sidestepping Conditional Access policies limited to specific app names. Security teams may see failed authentication attempts but fail to recognize that attackers have already identified valid usernames or working passwords.
Proofpoint said threat actors are combining the tactic with rotating user agents, proxy services and frequently changing IP addresses, further fragmenting activity across infrastructure and making conventional rate-based alerts less effective.
Millions of accounts targeted across two separate campaigns
The first operation, tracked as UNK_pyreq2323, surfaced on January 14, 2026, and distributed attempts across more than 700,000 spoofed client IDs. The campaign targeted over one million user accounts across nearly 4,000 tenants using Amazon Web Services infrastructure.
The campaign gathered pace in late January before climbing again in early February. Proofpoint said the volume of failed authentication attempts triggered account lockouts for about 28% of targeted users.
Proofpoint also identified a separate operation, tracked as UNK_OutFlareAZ, that had been running since December 2025. It was considerably larger, reaching more than two million users through 3.7 million fake application IDs, with most of the traffic traced to Cloudflare infrastructure.
The operation unfolded in two major waves, peaking at about 242,000 users in late December before a larger surge reached roughly 720,000 users on March 15.
Researchers also found repeated use of generic usernames such as dsmith, msmith and jbrown across multiple tenants, suggesting attackers recycled broad wordlists against numerous organizations.
Proofpoint urges closer monitoring of blank application entries
Differences in infrastructure, user agents, client ID generation and enumeration patterns indicate the campaigns were likely run by separate operators, suggesting the method is spreading rather than remaining confined to a single threat group.
Proofpoint urged defenders to scrutinize sign-in events with missing application names or unrecognized client IDs and to treat certain authentication errors as possible evidence of exposed credentials, not merely unsuccessful login attempts.





