Password Spraying Attacks Hit Entra ID Accounts

Hackers Use TeamFiltration Penetration Testing Tool Prajeet Nair (@prajeetspeaks) • June 12, 2025

A threat actor is using the password spraying feature of the TeamFiltration pentesting tool to launch attacks against Microsoft Entra accounts - and finding success.

See Also: Proof of Concept: Rethinking Identity for the Age of AI Agents

Researchers at Proofpoint say hackers it now tracks as UNK_SneakyStrike have been active since December. The threat actor has targeted more than 80,000 user accounts across roughly 100 cloud tenants. Successful attacks resulted in attackers exploiting access to resources such as Microsoft Teams, OneDrive and Outlook.

UNK_SneakyStrike activity tends to come in concentrated bursts, targeting "a wide range of users within a single cloud environment, followed by quiet periods that typically last around four to five days."

Several indicators pointed to the attacks using TeamFiltration, a tool that debuted publicly in 2022 at the Def Con conference. Developed ...