A large-scale account takeover (ATO) campaign has been abusing the TeamFiltration penetration testing framework to target Entra ID users, Proofpoint reports.
Released in 2022, TeamFiltration is a pentesting tool for automating TTPs used in ATO attacks, with support for account enumeration, password spraying, data exfiltration, and obtaining persistent access via OneDrive.
The framework requires an AWS account to initiate the ATO simulation, as well as a ‘sacrificial’ Office 365 account with a Business Basic license and the Microsoft Teams API to enumerate accounts in the Entra ID environment.
According to Proofpoint, a threat actor started using TeamFiltration in December 2024 to target user accounts across approximately 100 cloud tenants, and has successfully compromised multiple accounts to date. The attacks peaked in January 2025.
Tracked as UNK_SneakyStrike, the campaign used a combination of Microsoft Teams API and AWS servers scattered across the world for password spraying, in highly concentrated bursts.
“Most bursts target a wide range of users within a single cloud environment, followed by quiet periods that typically last around four to five days,” Proofpoint explains.
The attackers attempt to access all user accounts within smaller cloud tenants, but focus on a smaller number of users on larger tenants, a behavior that matches TeamFiltration’s advanced target acquisition features.
Proofpoint identified a distinctive user agent for an outdated version of Microsoft Teams used in the attacks, as well as attempts to access a specific sign-in application from devices incompatible with the software.
The investigation also uncovered a link between the attacks and a list of application IDs pre-configured in TeamFiltration. These are Microsoft OAuth apps that can receive special “family refresh tokens” from Entra ID, which can then be exchanged for valid bearer tokens and used to access accounts.
Most of the attempts originated from AWS infrastructure in the US (42%), Ireland (11%), and the UK (8%), Proofpoint says.
“While tools such as TeamFiltration are designed to assist cyber security practitioners in testing and improving defense solutions, they can easily be weaponized by threat actors to compromise user accounts, exfiltrate sensitive data, and establish persistent footholds,” the company notes.
Related: Fog Ransomware Attack Employs Unusual Tools
Related: SimpleHelp Vulnerability Exploited Against Utility Billing Software Users
