Attackers are using the TeamFiltration pentesting framework to brute-force their way into Microsoft Entra ID (formerly Azure AD) accounts, Proofpoint researchers have discovered.
“Proofpoint’s research indicates that while simulated intrusions using TeamFiltration date back nearly to the tool’s initial release in 2021, there has recently been a surge in login attempts associated with its use,” they shared.
“This increase in activity, attributed to UNK_SneakyStrike’s ongoing campaign, began in December 2024 and peaked in January 2025. So far, over 80,000 user accounts across roughly 100 cloud tenants [i.e., organizations] have been targeted, resulting in multiple account takeover instances.”
How the attackers leverage TeamFiltration
TeamFiltration is a legitimate pentesting framework that, as other similar tools, has been leveraged by attackers for nefarious means.
It is capable of:
- Identifying valid user accounts within a target environment
- Using the identified usernames in conjunction with common passwords to see whether a particular combination will provide access to the account
- Exfiltrating data and files that those Entra ID users have access to
- Uploading malicious files to the target users’ OneDrive and replacing existing files with malicious lookalikes (to enable persistent access and lateral movement)
The attackers have created a Microsoft 365 user account with a valid Microsoft 365 Business Basic license and have leveraged Microsoft Teams API and Amazon Web Services (AWS) servers to verify the existence of user accounts and perform waves of password spraying attacks from various geographic locations.
Once they take over an account, the attackers use the access they gained to exfitrate sensitive data.
How to fend off Entra ID account takeover attempts
“Unauthorized access attempts attributed to UNK_SneakyStrike tend to occur in highly concentrated bursts. Most bursts target a wide range of users within a single cloud environment, followed by quiet periods that typically last around four to five days,” the researchers shared.
“UNK_SneakyStrike’s targeting strategy suggests they attempt to access all user accounts within smaller cloud tenants while focusing only on a subset of users in larger tenants. This behaviour matches the tool’s advanced target acquisition features, designed to filter out less desirable accounts.”
The threat analysts have shared indicators of compromise related to these ongoing attacks and advised defenders to check whether some of their organization’s accounts have been compromised.
Depending on the privileges of the account and how it’s integrated into an organization’s cloud ecosystem, a compromised Microsoft Entra ID account can be extremely dangerous.
If it’s an account with high privileges, the attackers may use it to reset passwords for any user, modify conditional access policies, disable MFA or security controls, delete audit logs, and much more.
Entra ID accounts should be secured with unique, strong passwords and multi-factor authentication, and logins should be monitored, logged, and the logs regualry reviewed. Conditional access policies should be implemented and indentity protection should be implemented to block risky logins. Unused accounts should be disabled.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
