Security · 3h ago
OAuth Client ID Spoofing Bypasses Microsoft Entra ID Sign-In Logs
Attackers are exploiting OAuth client ID spoofing to validate stolen Microsoft Entra ID credentials without triggering sign-in events. Two threat groups have been observed using this technique to enumerate accounts and test stolen passwords. The evasion method bypasses telemetry that would normally alert defenders to unauthorized access attempts.
Meridian48 take
This technique highlights a blind spot in cloud authentication monitoring, as attackers can probe credentials without leaving the usual forensic trail.
Read the full reporting
OAuth Client ID Spoofing Lets Attackers Validate Stolen Microsoft Entra Credentials →
The Hacker News
oauth-spoofingmicrosoft-entra-id