Skip to content

More than 3 million Microsoft Entra ID accounts targeted in OAuth spoofing campaigns: Proofpoint

More than 3 million Microsoft Entra ID accounts targeted in OAuth spoofing campaigns: Proofpoint
Share this article

Proofpoint has uncovered two large-scale cloud campaigns that used fabricated OAuth client IDs to quietly enumerate Microsoft Entra ID accounts, exposing a growing authentication blind spot that could help attackers determine whether an account exists and whether a password is correct.

The cybersecurity company said the technique exploits differences in Entra ID responses when authentication requests contain valid or invalid application identifiers. By supplying fake client IDs, attackers can determine whether accounts exist, infer credential validity and spread activity across thousands or millions of apparent applications, making malicious traffic harder to connect.

Fake applications cloud the audit trail

OAuth client IDs normally identify registered applications and are recorded in Entra sign-in logs. When attackers submit spoofed identifiers, however, the corresponding application name may remain blank.

That gap can weaken detections built around spikes against known applications, while also sidestepping Conditional Access policies limited to specific app names. Security teams may see failed authentication attempts but fail to recognize that attackers have already identified valid usernames or working passwords.

Proofpoint said threat actors are combining the tactic with rotating user agents, proxy services and frequently changing IP addresses, further fragmenting activity across infrastructure and making conventional rate-based alerts less effective.

Millions of accounts targeted across two separate campaigns

The first operation, tracked as UNK_pyreq2323, surfaced on January 14, 2026, and distributed attempts across more than 700,000 spoofed client IDs. The campaign targeted over one million user accounts across nearly 4,000 tenants using Amazon Web Services infrastructure.

The campaign gathered pace in late January before climbing again in early February. Proofpoint said the volume of failed authentication attempts triggered account lockouts for about 28% of targeted users.

More than 3 million Microsoft Entra ID accounts targeted in OAuth spoofing campaigns: Proofpoint



Proofpoint also identified a separate operation, tracked as UNK_OutFlareAZ, that had been running since December 2025. It was considerably larger, reaching more than two million users through 3.7 million fake application IDs, with most of the traffic traced to Cloudflare infrastructure.

The operation unfolded in two major waves, peaking at about 242,000 users in late December before a larger surge reached roughly 720,000 users on March 15.

Researchers also found repeated use of generic usernames such as dsmith, msmith and jbrown across multiple tenants, suggesting attackers recycled broad wordlists against numerous organizations.

More than 3 million Microsoft Entra ID accounts targeted in OAuth spoofing campaigns: Proofpoint

Proofpoint urges closer monitoring of blank application entries

Differences in infrastructure, user agents, client ID generation and enumeration patterns indicate the campaigns were likely run by separate operators, suggesting the method is spreading rather than remaining confined to a single threat group.

Proofpoint urged defenders to scrutinize sign-in events with missing application names or unrecognized client IDs and to treat certain authentication errors as possible evidence of exposed credentials, not merely unsuccessful login attempts.

About The Coin Headlines

The Coin Headlines strives to bring trust into crypto media. At a time when every soundbite and headline can move the markets from red to green and vice-versa, The Coin Headlines promises to bring verified, credible and timely news and analysis from the world of crypto, blockchain, Web3, tech and markets. Founded in 2026, The Coin Headlines is based in the UAE with a team of experienced journalists and editors covering breaking news and updates from around the world.

From covering the biggest events to interviewing some of the most popular KOLs in the industry, The Coin Headlines keeps you informed of the latest trends and insights.

At The Coin Headlines our focus is clear: Real-time news updates, market movements, whale transfers, macroeconomic trends, tech and AI and geopolitical breaking news. The news we report goes through a strict editorial audit before its published to ensure the readers only get verified and credible information. We realize the world of crypto is dynamic, volatile, and many times, confusing. At The Coin Headlines we break down these complex issues into simple articles which cater to not just the experienced trader but also the student and first-time investor who wants to understand the space before committing to it.