Google and Microsoft are tightening identity and OAuth telemetry after stealthy account attacks
Attackers have started abusing OAuth client ID behavior in Microsoft Entra ID to enumerate accounts and evade normal sign-in logging. Proofpoint showed that spoofed client IDs can let operators infer whether usernames or passwords are valid without generating the usual telemetry defenders rely on. In parallel, researchers also demonstrated a Google device-code-flow confused deputy issue that could enable invisible account takeover if the session handling and consent checks are weak. These stories matter because identity attacks are increasingly focused on edge-case protocol behavior rather than password spraying alone. They also undermine assumptions that the absence of a normal sign-in event means the absence of an attack. For defenders, this means authentication logs need to be interpreted much more carefully and monitored for unusual client identifiers and consent patterns.
Sources
- Fake OAuth client IDs are helping attackers slip past sign-in logs — Help Net Security
- OAuth Client ID Spoofing: Why Fake Client IDs Are Gaining Traction for Stealthy Enumeration — Proofpoint Threat Insight
- [$13337] Confused Deputy: Google IdP Universal Account Takeover via Device Code Flow Hijacking — /r/cybersecurity
- [$13337] Confused Deputy: Google IdP Universal Account Takeover via Device Code Flow Hijacking — /r/netsec


Leave a Reply