Attackers Are Probing Entra ID Accounts Without Leaving A Trace

By faking the application ID in sign-in requests, attackers can map Microsoft Entra ID users and test passwords while leaving no successful login in the logs.

Published on Jul 13, 2026
Attackers Are Probing Entra ID Accounts Without Leaving A Trace

Attackers have discovered a way to map an organization’s Entra ID accounts and test credentials without triggering the alerts most security teams rely on.

Proofpoint researchers, who documented the technique in research published July 13, have already tracked two large-scale campaigns using it against cloud environments.

The larger campaign targeted more than two million users with millions of distinct fake identifiers, Proofpoint said.

A second, running from January to March 2026, spread its activity across more than 700,000 spoofed identifiers and hit over a million accounts across nearly 4,000 organizations, locking out roughly a quarter of the users it targeted.

Different Operators, Same Technique

Proofpoint assessed that separate threat actors adopted the same method independently, since the two operations relied on different tooling and infrastructure, a sign the technique is spreading, rather than confined to one group.

The technique, which Proofpoint calls OAuth client ID spoofing, exploits how Entra ID records sign-ins. Every application that authenticates has its own identifier, written into the logs, so defenders can see which app a login came from.

Proofpoint found that Entra accepted a client ID even when it matched no registered application, letting an attacker supply a fake one.

Entra still processed the request, but left the application-name field blank. By reading how the system responded, the attacker could read how the system responded to work out whether a username existed and whether a password was valid, all without producing a successful sign-in event.

Why The Blank Field Matters

That blank field is the crux of the problem, Proofpoint warned. Many security teams hunt for sign-in anomalies by watching for a surge of activity against a specific application, so an attack that records no application name can slip past that detection entirely.

The same evasion weakened other defenses: Conditional Access policies scoped to specific applications could not match a client ID that mapped to no real application, and by spreading requests across thousands of fake IDs, attackers kept each one below the volume that per-application detections are tuned to flag.

Proofpoint’s guidance is that security teams should treat blank application names as a red flag, rather than routine noise.

Security teams should treat sign-in entries with a blank application ID or missing application name as a potential sign of spoofing, and recognize that certain authentication error responses can indicate an attacker has confirmed valid credentials, not merely failed to log in.

This field is for validation purposes and should be left unchanged.

FREE NEWSLETTER

Cyber Weekly

Get curated cybersecurity news, threats and insights delivered free every Thursday.

Written By Written By
Alessandro Mascellino
Alessandro Mascellino Cybersecurity Reporter

Alessandro Mascellino is a British-Italian freelance journalist specializing in technology and gaming. He has contributed to several publications, including Wired, The Independent, and Android Police. By day, he works as a journalist. By night, he co-manages a game studio that creates narrative games.