negativeSYS.SOURCE: The Hacker News• 2026-07-14T16:51:35+05:30
OAuth Client ID Spoofing Exploits Microsoft Entra ID for Credential Validation
Threat actors are exploiting OAuth client ID spoofing to validate stolen Microsoft Entra ID credentials without triggering sign-in logs, enabling account enumeration and password verification. The technique bypasses telemetry by using malformed client IDs and leverages the ROPC flow to evade detection.
At least two distinct threat actors are weaponizing a novel evasion technique called OAuth client ID spoofing in cloud campaigns, while slipping past telemetry.
The activity allows users to enumerate user accounts and validate stolen credentials in Microsoft Entra ID environments, without ever generating a successful sign-in event that would otherwise alert defenders. And bad actors have begun
*** END OF TRANSMISSION ***