A big-scale account takeover (ATO) marketing campaign has been abusing the TeamFiltration penetration testing framework to focus on Entra ID customers, Proofpoint studies.
Launched in 2022, TeamFiltration is a pentesting software for automating TTPs utilized in ATO assaults, with help for account enumeration, password spraying, knowledge exfiltration, and acquiring persistent entry by way of OneDrive.
The framework requires an AWS account to provoke the ATO simulation, in addition to a ‘sacrificial’ Workplace 365 account with a Enterprise Fundamental license and the Microsoft Groups API to enumerate accounts within the Entra ID setting.
In keeping with Proofpoint, a risk actor began utilizing TeamFiltration in December 2024 to focus on person accounts throughout roughly 100 cloud tenants, and has efficiently compromised a number of accounts so far. The assaults peaked in January 2025.
Tracked as UNK_SneakyStrike, the marketing campaign used a mix of Microsoft Groups API and AWS servers scattered the world over for password spraying, in extremely concentrated bursts.
“Most bursts goal a variety of customers inside a single cloud setting, adopted by quiet intervals that sometimes final round 4 to 5 days,” Proofpoint explains.
The attackers try and entry all person accounts inside smaller cloud tenants, however deal with a smaller variety of customers on bigger tenants, a conduct that matches TeamFiltration’s superior goal acquisition options.
Proofpoint recognized a particular person agent for an outdated model of Microsoft Groups used within the assaults, in addition to makes an attempt to entry a particular sign-in utility from gadgets incompatible with the software program.Commercial. Scroll to proceed studying.
The investigation additionally uncovered a hyperlink between the assaults and an inventory of utility IDs pre-configured in TeamFiltration. These are Microsoft OAuth apps that may obtain particular “household refresh tokens” from Entra ID, which may then be exchanged for legitimate bearer tokens and used to entry accounts.
Many of the makes an attempt originated from AWS infrastructure within the US (42%), Eire (11%), and the UK (8%), Proofpoint says.
“Whereas instruments reminiscent of TeamFiltration are designed to help cyber safety practitioners in testing and enhancing protection options, they will simply be weaponized by risk actors to compromise person accounts, exfiltrate delicate knowledge, and set up persistent footholds,” the corporate notes.
Associated: Fog Ransomware Assault Employs Uncommon Instruments
Associated: SimpleHelp Vulnerability Exploited In opposition to Utility Billing Software program Customers
Associated: Cobalt Strike Abuse Dropped 80% in Two Years
