Over 80,000 Microsoft Entra ID Accounts Targeted Using Open-Source TeamFiltration Tool

Avatar
Cybersecurity researchers have uncovered a new account takeover (ATO) campaign that leverages an open-source penetration testing framework called TeamFiltration to breach Microsoft Entra ID (formerly Azure Active Directory) user accounts. The activity, codenamed UNK_SneakyStrike by Proofpoint, has targeted over 80,000 user accounts across hundreds of organizations’ cloud tenants since a surge in

Cybersecurity researchers have uncovered a new account takeover (ATO) campaign that leverages an open-source penetration testing framework called TeamFiltration to breach Microsoft Entra ID (formerly Azure Active Directory) user accounts.

The activity, codenamed UNK_SneakyStrike by Proofpoint, has targeted over 80,000 user accounts across hundreds of organizations’ cloud tenants since a surge in login attempts was observed in December 2024, leading to successful account takeovers.

“Attackers leverage Microsoft Teams API and Amazon Web Services (AWS) servers located in various geographical regions to launch user-enumeration and password-spraying attempts,” the enterprise security company said. “Attackers exploited access to specific resources and native applications, such as Microsoft Teams, OneDrive, Outlook, and others.”

TeamFiltration, publicly released by researcher Melvin “Flangvik” Langvik, in August 2022 at the DEF CON security conference, is described as a cross-platform framework for “enumerating, spraying, exfiltrating, and backdooring” Entra ID accounts.

The tool offers extensive capabilities to facilitate account takeover using password spraying attacks, data exfiltration, and persistent access by uploading malicious files to the target’s Microsoft OneDrive account.

While the tool requires an Amazon Web Services (AWS) account and a disposable Microsoft 365 account to facilitate password spraying and account enumeration functions, Proofpoint said it observed evidence of malicious activity leveraging TeamFiltration to conduct these activities such that each password spraying wave originates from a different server in a new geographic location.

The three primary source geographies linked to malicious activity based on the number of IP addresses include the United States (42%), Ireland (11%), and Great Britain (8%).

The UNK_SneakyStrike activity has been described as “large-scale user enumeration and password spraying attempts,” with the unauthorized access efforts occurring in “highly concentrated bursts” targeting several users within a single cloud environment. This is followed by a lull that lasts for four to five days.

The findings once again highlight how tools designed to assist cybersecurity professionals can be misused by threat actors to carry out a wide range of nefarious actions that allow them to breach user accounts, harvest sensitive data, and establish persistent footholds.

“UNK_SneakyStrike’s targeting strategy suggests they attempt to access all user accounts within smaller cloud tenants while focusing only on a subset of users in larger tenants,” Proofpoint said. “This behaviour matches the tool’s advanced target acquisition features, designed to filter out less desirable accounts.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

 The Hacker News 

Total
0
Shares
Previous Post

Former Black Basta Members Use Microsoft Teams and Python Scripts in 2025 Attacks

Next Post

ConnectWise to Rotate ScreenConnect Code Signing Certificates Due to Security Risks

Related Posts

⚡ Weekly Recap: Chrome 0-Day, Ivanti Exploits, MacOS Stealers, Crypto Heists and More

Everything feels secure—until one small thing slips through. Even strong systems can break if a simple check is missed or a trusted tool is misused. Most threats don’t start with alarms—they sneak in through the little things we overlook. A tiny bug, a reused password, a quiet connection—that’s all it takes. Staying safe isn’t just about reacting fast. It’s about catching these early signs
Avatar
Read More

U.S. Dismantles DanaBot Malware Network, Charges 16 in $50M Global Cybercrime Operation

The U.S. Department of Justice (DoJ) on Thursday announced the disruption of the online infrastructure associated with DanaBot (aka DanaTools) and unsealed charges against 16 individuals for their alleged involvement in the development and deployment of the malware, which it said was controlled by a Russia-based cybercrime organization. The malware, the DoJ said, infected more than 300,000
Avatar
Read More