Attackers have discovered a way to map an organization’s Entra ID accounts and test credentials without triggering the alerts most security teams rely on.
Proofpoint researchers, who documented the technique in research published July 13, have already tracked two large-scale campaigns using it against cloud environments.
The larger campaign targeted more than two million users with millions of distinct fake identifiers, Proofpoint said.
A second, running from January to March 2026, spread its activity across more than 700,000 spoofed identifiers and hit over a million accounts across nearly 4,000 organizations, locking out roughly a quarter of the users it targeted.
Different Operators, Same Technique
Proofpoint assessed that separate threat actors adopted the same method independently, since the two operations relied on different tooling and infrastructure, a sign the technique is spreading, rather than confined to one group.
The technique, which Proofpoint calls OAuth client ID spoofing, exploits how Entra ID records sign-ins. Every application that authenticates has its own identifier, written into the logs, so defenders can see which app a login came from.
Proofpoint found that Entra accepted a client ID even when it matched no registered application, letting an attacker supply a fake one.
Entra still processed the request, but left the application-name field blank. By reading how the system responded, the attacker could read how the system responded to work out whether a username existed and whether a password was valid, all without producing a successful sign-in event.
Why The Blank Field Matters
That blank field is the crux of the problem, Proofpoint warned. Many security teams hunt for sign-in anomalies by watching for a surge of activity against a specific application, so an attack that records no application name can slip past that detection entirely.
The same evasion weakened other defenses: Conditional Access policies scoped to specific applications could not match a client ID that mapped to no real application, and by spreading requests across thousands of fake IDs, attackers kept each one below the volume that per-application detections are tuned to flag.
Proofpoint’s guidance is that security teams should treat blank application names as a red flag, rather than routine noise.
Security teams should treat sign-in entries with a blank application ID or missing application name as a potential sign of spoofing, and recognize that certain authentication error responses can indicate an attacker has confirmed valid credentials, not merely failed to log in.