TeamFiltration Abused in Entra ID Account Takeover Campaign
securityweek
A large-scale account takeover (ATO) campaign has been abusing the TeamFiltration penetration testing framework to target Entra ID users, Proofpoint reports.
Released in 2022, TeamFiltration is a pentesting tool for automating TTPs used in ATO attacks, with support for account enumeration, password spraying, data exfiltration, and obtaining persistent access via OneDrive.
The framework requires an AWS account to initiate the ATO simulation, as well as a ‘sacrificial’ Office 365 account with a Business Basic license and the Microsoft Teams API to enumerate accounts in the Entra ID environment.
According to Proofpoint, a threat actor started using TeamFiltration in December 2024 to target user accounts across approximately 100 cloud tenants, and has successfully compromised multiple accounts to date. The attacks peaked in January 2025.
Tracked as UNK_SneakyStrike, the campaign used a combination of Microsoft Teams API and AWS servers scattered across the world for password spraying, in highly concentrated bursts.
“Most ...
Copyright of this story solely belongs to securityweek . To see the full text click HERE