Close Menu
Cybercrime and Ransomware

TeamFiltration Faces Entra ID Account Takeover Crisis

Staff WriterBy No Comments3 Mins Read8 Views

Essential Insights

  1. Account Takeover Campaign: A large-scale account takeover (ATO) campaign, dubbed UNK_SneakyStrike, is exploiting the TeamFiltration pentesting framework to compromise Entra ID users, as reported by Proofpoint.

  2. TeamFiltration Framework: Released in 2022, TeamFiltration automates tactics for ATO attacks, requiring an AWS account and a ‘sacrificial’ Office 365 account to perform actions like account enumeration and data exfiltration.

  3. Attack Patterns: The campaign, starting in December 2024, focused on password spraying, targeting accounts across ~100 cloud tenants—mixing high-frequency bursts of attacks followed by quiet periods of 4-5 days.

  4. Weaponization of Tools: Proofpoint highlights that while TeamFiltration aids cybersecurity testing, its capabilities are being weaponized by threat actors to access accounts, exfiltrate data, and maintain persistent access, with most attacks stemming from AWS infrastructure.

The Core Issue

In a troubling development uncovered by Proofpoint, a sophisticated account takeover (ATO) campaign has emerged, leveraging the TeamFiltration penetration testing framework to exploit Entra ID users. Launched in 2022, TeamFiltration facilitates automated ATO attack strategies, including account enumeration and password spraying, utilizing AWS infrastructure alongside a ‘sacrificial’ Office 365 account. Such measures allowed a threat actor, tracked under the moniker UNK_SneakyStrike, to effectively infiltrate approximately 100 cloud tenants, with attack intensity peaking in January 2025.

The campaign’s methodology is alarming; it employs the Microsoft Teams API in concert with AWS servers to execute rapid, concentrated password spraying attacks. Attack bursts often target a broad user base within smaller tenants while narrowing focus on select individuals in larger organizations, showcasing TeamFiltration’s advanced targeting capabilities. Investigators have identified telltale signs, including an outdated Microsoft Teams user agent and specific application IDs linked to vulnerable Microsoft OAuth apps, facilitating unauthorized access through exchange tokens. As Proofpoint warns, while designed for cybersecurity enhancement, tools like TeamFiltration can be readily weaponized, leading to significant risks of data exfiltration and persistent breaches.

Risks Involved

The exploitation of the TeamFiltration penetration testing framework in a large-scale account takeover (ATO) campaign poses significant risks not only to targeted organizations but also to the broader ecosystem of businesses and users. As malicious actors leverage this sophisticated framework to automate and execute password spraying and account enumeration attacks, compromised accounts can lead to cascading failures across interconnected systems, jeopardizing sensitive corporate data, customer trust, and operational integrity. The likelihood of data exfiltration increases remarkably, as attackers gain persistent access through legitimate interfaces like OneDrive, allowing them to siphon off critical information that could be utilized for further attacks within and beyond the compromised environments. SMEs, especially those with less robust security infrastructures, may find themselves particularly vulnerable, creating a ripple effect that challenges the stability of entire sectors. Should these attacks expand further, they threaten to undermine confidence in cloud services, potentially stifling innovation and growth while prompting stringent regulatory scrutiny and costly remediation efforts across the impacted landscape.

Possible Actions

The urgency of addressing security breaches cannot be overstated, especially in the context of TeamFiltration’s compromise during the Entra ID account takeover campaign.

Mitigation Steps

  • Immediate password reset
  • Multi-factor authentication enforcement
  • Account activity monitoring
  • User awareness training
  • Incident response plan execution
  • Collaboration with cybersecurity teams

NIST CSF Guidance
The NIST Cybersecurity Framework (CSF) underscores the necessity of risk management and adaptive remediation strategies. Refer to Special Publication 800-53 for more comprehensive guidelines on protecting information systems and managing security controls effectively.

Explore More Security Insights

Stay informed on the latest Threat Intelligence and Cyberattacks.

Access world-class cyber research and guidance from IEEE.

Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.

Cyberattacks-V1

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Related Posts

Comments are closed.