Skip to content
  • Blog Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form

Over 80,000 Microsoft Entra ID Accounts Targeted Using Open-Source TeamFiltration Tool

Posted on June 12, 2025June 12, 2025 By CWS

Jun 12, 2025Ravie LakshmananEnterprise Safety / Lively Listing
Cybersecurity researchers have uncovered a brand new account takeover (ATO) marketing campaign that leverages an open-source penetration testing framework known as TeamFiltration to breach Microsoft Entra ID (previously Azure Lively Listing) person accounts.
The exercise, codenamed UNK_SneakyStrike by Proofpoint, has affected over 80,000 focused person accounts throughout tons of of organizations’ cloud tenants since a surge in login makes an attempt was noticed in December 2024, resulting in profitable account takeovers.

“Attackers leverage Microsoft Groups API and Amazon Net Providers (AWS) servers positioned in varied geographical areas to launch user-enumeration and password-spraying makes an attempt,” the enterprise safety firm stated. “Attackers exploited entry to particular sources and native purposes, corresponding to Microsoft Groups, OneDrive, Outlook, and others.”

TeamFiltration, publicly launched by researcher Melvin “Flangvik” Langvik, in August 2022 on the DEF CON safety convention, is described as a cross-platform framework for “enumerating, spraying, exfiltrating, and backdooring” Entra ID accounts.
The software presents intensive capabilities to facilitate account takeover utilizing password spraying assaults, information exfiltration, and protracted entry by importing malicious recordsdata to the goal’s Microsoft OneDrive account.

Whereas the software requires an Amazon Net Providers (AWS) account and a disposable Microsoft 365 account to facilitate password spraying and account enumeration features, Proofpoint stated it noticed proof of malicious exercise leveraging TeamFiltration to conduct these actions such that every password spraying wave originates from a unique server in a brand new geographic location.
The three major supply geographies linked to malicious exercise primarily based on the variety of IP addresses embrace the USA (42%), Eire (11%), and Nice Britain (8%).

The UNK_SneakyStrike exercise has been described as “large-scale person enumeration and password spraying makes an attempt,” with the unauthorized entry efforts occurring in “extremely concentrated bursts” focusing on a number of customers inside a single cloud setting. That is adopted by a lull that lasts for 4 to 5 days.
The findings as soon as once more spotlight how instruments designed to help cybersecurity professionals could be misused by risk actors to hold out a variety of nefarious actions that enable them to breach person accounts, harvest delicate information, and set up persistent footholds.
“UNK_SneakyStrike’s focusing on technique suggests they try to entry all person accounts inside smaller cloud tenants whereas focusing solely on a subset of customers in bigger tenants,” Proofpoint stated. “This behaviour matches the software’s superior goal acquisition options, designed to filter out much less fascinating accounts.”

Discovered this text attention-grabbing? Comply with us on Twitter  and LinkedIn to learn extra unique content material we put up.

The Hacker News Tags:Accounts, Entra, Microsoft, OpenSource, Targeted, TeamFiltration, Tool

Post navigation

Previous Post: Zero-Click Microsoft 365 Copilot Vulnerability Let Attackers Exfiltrates Sensitive Data Abusing Teams
Next Post: ConnectWise to Rotate ScreenConnect Code Signing Certificates Due to Security Risks

Related Posts

Citrix Bleed 2 Flaw Enables Token Theft; SAP GUI Flaws Risk Sensitive Data Exposure The Hacker News
New PHP-Based Interlock RAT Variant Uses FileFix Delivery Mechanism to Target Multiple Industries The Hacker News
Chaos RAT Malware Targets Windows and Linux via Fake Network Tool Downloads The Hacker News
That Network Traffic Looks Legit, But it Could be Hiding a Serious Threat The Hacker News
Transforming Your Cybersecurity Practice Into An MRR Machine The Hacker News
OttoKit WordPress Plugin with 100K+ Installs Hit by Exploits Targeting Multiple Flaws The Hacker News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Aanchal Gupta Joins Adobe as Chief Security Officer
  • Hackers Attacking IIS Servers With New Web Shell Script to Gain Complete Remotely Control
  • GitHub Outage Disrupts Core Services Globally for Users
  • CISA Adds PaperCut NG/MF CSRF Vulnerability to KEV Catalog Amid Active Exploitation
  • Creating Realistic Deepfakes Is Getting Easier Than Ever. Fighting Back May Take Even More AI

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Aanchal Gupta Joins Adobe as Chief Security Officer
  • Hackers Attacking IIS Servers With New Web Shell Script to Gain Complete Remotely Control
  • GitHub Outage Disrupts Core Services Globally for Users
  • CISA Adds PaperCut NG/MF CSRF Vulnerability to KEV Catalog Amid Active Exploitation
  • Creating Realistic Deepfakes Is Getting Easier Than Ever. Fighting Back May Take Even More AI

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News