Threat Actor Uses TeamFiltration to Target Microsoft Entra ID Accounts Globally
A large-scale password-spraying campaign targeting Microsoft Entra ID accounts has compromised user credentials across hundreds of organizations worldwide, according to cybersecurity firm Proofpoint.
The operation began in December 2024 and is attributed to a threat actor known as UNK_SneakyStrike. At its peak on January 8, the campaign targeted 16,500 accounts in a single day. The pattern shows sharp bursts of activity followed by several days of silence.
“Since December 2024, UNK_SneakyStrike activity has affected over 80,000 targeted user accounts across hundreds of organizations, resulting in several cases of successful account takeover,” — Proofpoint
TeamFiltration Tool Powers the Attack Campaign
The attackers used TeamFiltration, a penetration testing framework published in 2022 by TrustedSec researcher Melvin Langvik. Designed for enumerating, spraying, exfiltrating, and backdooring Office 365 and Entra ID accounts, the tool played a central role in the operation.
Proofpoint linked the activity to TeamFiltration through several technical indicators:
- A rare user agent string specific to the tool
- Matching hardcoded OAuth client IDs
- An embedded outdated snapshot of Secureworks’ FOCI project
- Access attempts on applications that are incompatible with the target environment
The researchers found that UNK_SneakyStrike adjusted its targeting approach based on the size of the tenant. In small environments, all users were targeted, while in larger organizations, only a subset of users was selected.
Attack Infrastructure and Geographic Distribution
The campaign relied on Amazon Web Services (AWS) infrastructure spread across multiple regions. A sacrificial Office 365 account, configured with a Business Basic license, was used to interact with the Microsoft Teams API for account enumeration.
The majority of traffic originated from:
- United States – 42%
- Ireland – 11%
- United Kingdom – 8%
These IP sources were used to mask activity and avoid triggering geo-based detection rules.
Recommendations for Enterprise Defenders
Proofpoint advises enterprises to take the following steps to mitigate the threat:
- Block IP addresses listed in their Indicators of Compromise (IOCs)
- Create detection rules for the TeamFiltration user agent
- Enable multi-factor authentication (MFA) for all users
- Enforce OAuth 2.0 standards and use conditional access policies within Microsoft Entra ID
This campaign underscores the continued use of legitimate pentesting tools by threat actors to launch credential-based cyberattacks at scale, often without raising immediate red flags in traditional monitoring systems.
