Find notable cyber news and cases, enriched with sources, timelines, and signals.

Microsoft Entra OAuth Client ID spoofing campaign

Campaign
First reported
Last updated
Happening score
H score 35
1 unique sources, 1 articles

Summary

Hide ▲

A Microsoft Entra ID targeting campaign is using OAuth Client ID spoofing to evade Entra sign-in logs and gain stealthy access to cloud services, increasing the chance that malicious logins go undetected. Proofpoint says it has tracked multiple large-scale campaigns affecting millions of user accounts across thousands of tenants. The activity relies on the ROPC flow and blank application fields to obscure authentication attempts.

Related Happenings

Forg365-ForgCookie alliance reshapes ransomware ecosystem operations

Threat Actor Meta
H score37 First: 09.07.2026 17:39 Last: 09.07.2026 17:39 Sources 1

About this happening: **Forg365** is a **phishing-as-a-service (PhaaS)** operation built to steal **Microsoft 365** accounts with **AiTM** and **device-code phishing**, increasing credential-theft risk...

Kali365 Microsoft 365 device-code phishing campaign

Campaign
H score46 First: 25.05.2026 15:45 Last: 25.05.2026 15:45 Sources 1

About this happening: A **Kali365** phishing campaign is targeting **Microsoft 365** environments worldwide with **device-code login lures**, putting accounts at risk of **token theft** and **MFA bypas...

Storm-2949 Microsoft 365 and Azure data-theft campaign

Campaign
H score33 First: 19.05.2026 22:35 Last: 19.05.2026 22:35 Sources 1

About this happening: The **Storm-2949** campaign is targeting **Microsoft 365 and Azure production environments** to steal sensitive data, increasing the risk of privileged-account takeover and cloud...

EvilTokens Microsoft 365 consent phishing campaign

Campaign
H score39 First: 19.05.2026 14:30 Last: 19.05.2026 14:30 Sources 1

About this happening: The **EvilTokens** campaign rapidly compromised **more than 340 Microsoft 365 organizations** across **five countries**, showing how **OAuth grant abuse** can bypass **MFA** and c...

OAuth device-code phishing campaign targeting SaaS accounts

Campaign
H score43 First: 04.04.2026 17:17 Last: 04.04.2026 17:17 Sources 1

About this happening: A **device code phishing** campaign now includes **EvilTokens**, a **phishing-as-a-service** kit sold on **Telegram** that uses the **OAuth 2.0 device authorization flow** to hija...

Timeline

  1. 13.07.2026 16:00 2 articles · 2h ago

    OAuth client ID spoofing evades Microsoft Entra ID sign-in logs

    Initial Disclosure

    Proofpoint describes attackers using OAuth client ID spoofing against Microsoft Entra ID to hide malicious authentication activity in Entra sign-in logs. The technique relies on POST requests to Microsoft's OAuth 2.0 token endpoint with the Resource Owner Password Credentials (ROPC) flow, spoofed IDs, and blank application fields, allowing operators to infer valid usernames and passwords, identify accounts that can be exploited, and potentially bypass detection while targeting cloud environments. Proofpoint also says it has tracked multiple large-scale campaigns affecting millions of user accounts across thousands of Microsoft Entra tenants, and advises defenders to treat blank application IDs, missing application names, and AADSTS700016 errors as possible indicators of client ID spoofing.

    Show sources