Source: www.proofpoint.com – Author:
Identity & Access Management , Security Operations
Hackers Use TeamFiltration Penetration Testing Tool Prajeet Nair (@prajeetspeaks) • June 12, 2025
A threat actor is using the password spraying feature of the TeamFiltration pentesting tool to launch attacks against Microsoft Entra accounts – and finding success.
See Also: Proof of Concept: Rethinking Identity for the Age of AI Agents
Researchers at Proofpoint say hackers it now tracks as UNK_SneakyStrike have been active since December. The threat actor has targeted more than 80,000 user accounts across roughly 100 cloud tenants. Successful attacks resulted in attackers exploiting access to resources such as Microsoft Teams, OneDrive and Outlook.
UNK_SneakyStrike activity tends to come in concentrated bursts, targeting “a wide range of users within a single cloud environment, followed by quiet periods that typically last around four to five days.”
Several indicators pointed to the attacks using TeamFiltration, a tool that debuted publicly in 2022 at the Def Con conference. Developed for legitimate security assessments, TeamFiltration is also embraced by attackers for automating user enumeration, password spraying and data exfiltration. It is an open-source penetration testing framework designed to simulate account takeover attacks in Microsoft cloud environments, specifically targeting Microsoft Entra ID, formerly Azure Active Directory.
The tool’s ability to exploit Microsoft Teams APIs and use Amazon Web Services cloud infrastructure to rotate source IP addresses makes it particularly difficult to detect and block. Its features, such as backdooring OneDrive, allow attackers to gain and maintain persistent access without triggering traditional alerts.
“While tools such as TeamFiltration are designed to assist cyber security practitioners in testing and improving defense solutions, they can easily be weaponized by threat actors,” Proofpoint wrote.
Proofpoint identified several unique indicators of compromise, including a rarely seen Microsoft Teams user agent and unusual access patterns to Microsoft’s sign-in applications from unsupported devices. These indicators closely matched TeamFiltration’s public documentation, strengthening attribution.
TeamFiltration relies on AWS infrastructure to launch its attacks. Each password spraying wave is routed through a different AWS Region, with the United States, Ireland and the United Kingdom being the top sources.
The attackers’ strategy is adaptive, researchers said. Attackers attempt to breach all user accounts in smaller cloud tenants while focusing only on high-value users in larger ones. Attack bursts are often followed by silent periods of four to five days, mimicking red team operations and making detection more challenging.
Proofpoint said that distinguishing between legitimate penetration tests and real malicious activity is increasingly difficult, although UNK_SneakyStrike exhibited broader, indiscriminate targeting patterns inconsistent with ethical red teaming.
The firm also found errors in the threat actor’s TeamFiltration configuration, specifically, misidentified client application IDs for Outlook and OneNote. That may indicate the attackers are using outdated tool versions.
Original Post URL: https://www.proofpoint.com/us/newsroom/news/password-spraying-attacks-hit-entra-id-accounts
Category & Tags: –
Views: 0
