Over 80,000 Microsoft Entra ID Accounts Under Siege by TeamFiltration Tool

Cybersecurity researchers have uncovered a widespread account takeover campaign, codenamed UNK_SneakyStrike, targeting over 80,000 Microsoft Entra ID (formerly Azure Active Directory) user accounts across hundreds of organizations. This sophisticated attack leverages TeamFiltration, an open-source penetration testing framework, to conduct user enumeration and password spraying attempts, leading to successful account compromises.

Key Takeaways

• The UNK_SneakyStrike campaign has targeted over 80,000 Microsoft Entra ID accounts since December 2024.

• Attackers are utilizing the open-source TeamFiltration tool for user enumeration and password spraying.

• The campaign employs Microsoft Teams API and AWS servers across various geographical regions to launch attacks.

• Successful compromises have led to unauthorized access to resources like Microsoft Teams, OneDrive, and Outlook.

• Proofpoint observed malicious activity originating primarily from the United States (42%), Ireland (11%), and Great Britain (8%).

The TeamFiltration Threat

TeamFiltration, developed by researcher Melvin "Flangvik" Langvik and released at DEF CON in August 2022, is a cross-platform framework designed for enumerating, spraying, exfiltrating, and backdooring Entra ID accounts. While intended for legitimate penetration testing, threat actors have weaponized its capabilities for malicious purposes. The tool facilitates:

• Account Enumeration: Uses the Microsoft Teams API to verify user account existence within a targeted Entra ID environment.

• Password Spraying: Attempts to log in using common or systematically varied passwords, rotating IP addresses across multiple AWS regions to evade detection.

• Data Exfiltration: Extracts sensitive data, including emails and files, from cloud storage.

• Persistence and Backdooring: Uploads malicious files to a victim's OneDrive, potentially replacing legitimate documents with lookalikes containing malware.

Attack Methodology and Scale

Proofpoint's analysis reveals that the UNK_SneakyStrike activity involves "large-scale user enumeration and password spraying attempts" executed in "highly concentrated bursts." These bursts target multiple users within a single cloud environment, followed by a four to five-day lull. The attackers' strategy involves attempting to access all user accounts in smaller cloud tenants, while focusing on a subset of users in larger organizations, aligning with TeamFiltration's advanced target acquisition features.

Mitigation and Recommendations

This campaign underscores the critical need for robust cybersecurity measures. Organizations are advised to:

• Monitor for Unusual Sign-ins: Scrutinize sign-in attempts from suspicious IP addresses and user agents, particularly those originating from AWS regions.

• Audit OAuth Applications: Regularly review and audit OAuth applications and client IDs within Entra ID, especially those referenced in penetration testing tools.

• Implement Multi-Factor Authentication (MFA): Enforce MFA across all user accounts and restrict the use of legacy authentication protocols.

• Stay Updated: Continuously monitor for new tactics, techniques, and procedures (TTPs) and share threat intelligence within the organization and industry.

The misuse of legitimate security tools like TeamFiltration highlights the evolving sophistication of threat actors and the importance of proactive defense strategies.

As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Sources

• Over 80,000 Microsoft Entra ID Accounts Targeted Using Open-Source TeamFiltration Tool, The Hacker News.

• New Campaign Targets Entra ID User Accounts Using Pentesting Tool for Account Takeover, GBHackers News.