#1 Middle East & Africa Trusted Cybersecurity News & Magazine |

36 C
Dubai
Friday, July 4, 2025
HomeTopics 2Cloud SecurityAttackers Unleash TeamFiltration: Active Account Takeover Campaign Hits Over 80,000 Users Across...

Attackers Unleash TeamFiltration: Active Account Takeover Campaign Hits Over 80,000 Users Across Entra ID Ecosystems

Date:

Related stories

CVE‑2025‑20309: Cisco Unified CM Exposes Root via Static SSH Credentials

Cisco disclosed a 10.0 CVSS-critical vulnerability (CVE‑2025‑20309) in its...

PDFs: Portable Documents or Perfect Phishing Vectors?

Cybersecurity professionals are sounding the alarm: PDF attachments are...

Google Urgently Patches CVE‑2025‑6554 Zero‑Day in Chrome 138 Stable Update

On 26 June 2025, Google rapidly deployed a Stable Channel update...
spot_imgspot_imgspot_imgspot_img

Proofpoint threat researchers have uncovered an ongoing account takeover campaign—UNK_SneakyStrike—actively exploiting the popular TeamFiltration pentesting tool to target Microsoft Entra ID users. Since December 2024, attackers have used legitimate cloud infrastructure and APIs to breach over 80,000 accounts globally. The abuse of pentesting frameworks in real-world intrusions marks a growing threat trend that enterprises must urgently address.

TeamFiltration, first released in January 2021 and showcased at DefCon 30, was originally designed for penetration testers to simulate cloud intrusions. Its advanced features-account enumeration, password spraying, persistent access via OneDrive, and data exfiltration-made it a go-to framework in legitimate security services.

However, by December 2024, Proofpoint researchers identified large-scale misuse of the tool in the wild. Attackers launched unauthorized access attempts against over 80,000 user accounts across 100+ Microsoft Entra ID tenants, using the tool’s native capabilities to evade detection and escalate access.

“This is a textbook example of dual-use tools being flipped by threat actors,” said Sherrod DeGrippo, Director of Threat Intelligence Strategy at Microsoft. “It highlights the importance of robust behavioral detection mechanisms.” [source: Proofpoint, 11 June 2025]

Cloud Infrastructure as a Launchpad

TeamFiltration leverages Amazon Web Services (AWS) to rotate attack origins across multiple regions. This strategy helps evade IP-based detection during password spraying and enumeration attacks. Proofpoint’s telemetry confirms attacker infrastructure was primarily hosted in:

  • United States (42%)
  • Ireland (11%)
  • Great Britain (8%)

Each wave of attacks targeted Microsoft apps including Teams, Outlook, OneDrive, and OneNote, exploiting their OAuth refresh token mechanisms to persist access.

MEA Focus: Risk Amplification in Regulatory Hot Zones

Middle East and Africa in the Crosshairs

While Proofpoint did not explicitly break down affected regions, Microsoft 365 usage is widespread across MEA, especially among financial services and governmental agencies. According to regional cybersecurity regulations such as SAMA’s Cybersecurity Framework (Saudi Arabia) and South Africa’s POPIA, organizations are legally bound to report breaches and secure user credentials.

“Cloud account compromises violate compliance baselines set by most MEA national frameworks,” notes Faisal Al-Khashab, CISO at a major Gulf-based bank. “Continuous monitoring for tools like TeamFiltration must be prioritized.” [Interview, 10 June 2025]

Failure to detect unauthorized cloud access could trigger fines or loss of public trust, especially under GDPR (Europe) and NITDA NDPR (Nigeria) mandates.

Global Trends: Dual-Use Tools and Security Blind Spots

The Exploitation of Open-Source Pentesting Frameworks

TeamFiltration joins a growing list of pentesting tools like Cobalt Strike, Sliver, and Evilginx, which have been weaponized in attacks. Proofpoint warns that defenders must not rely solely on known threat actor IOCs but instead monitor behavioral anomalies, such as:

  • Unusual login attempts from legacy Teams clients
  • App ID mismatches in authentication logs
  • Access attempts from incompatible device types

Such indicators are embedded into TeamFiltration’s logic, especially its reliance on spoofed user agents and sacrificial accounts (licensed but disposable identities).

MITRE ATT&CK & IOCs: Technical Mapping for SOC Teams

MITRE ATT&CK Mapping
- T1110.003: Brute Force – Password Spraying
- T1078: Valid Accounts
- T1021.002: Remote Services – SMB/OneDrive
- T1119: Automated Collection
- T1566.002: Spearphishing via Services (Teams)
- T1071.001: Application Layer Protocol – Web APIs

**Indicators of Compromise (IOCs)**
- **User Agent**: Mozilla/5.0 (Windows NT 10.0; Win64; x64)... Teams/1.3.00.30866
- **IPs**:
  - 44.220.31[.]157 – First seen: 01 April 2025
  - 44.206.7[.]122 – First seen: 07 January 2025
  - 3.255.18[.]223 – First seen: 28 February 2025

Actionable Takeaways for Security Leaders and Defenders

  1. Block outdated Teams user agents in access policies to prevent TeamFiltration activity.
  2. Monitor AWS-origin IP activity targeting Entra ID tenants—especially in bursts.
  3. Disable legacy authentication protocols across all cloud services.
  4. Review sign-in logs for known TeamFiltration application IDs and mismatches.
  5. Deploy deception accounts to detect password-spraying behavior.
  6. Use conditional access policies that enforce MFA for all cloud users.
  7. Engage threat intelligence services that correlate behavior across regions.
  8. Regularly audit OAuth token usage and revoke suspicious refresh tokens.
  9. Train staff to recognize cloud-based social engineering tactics.
  10. Maintain updated blacklists of known malicious IPs and tools.

Conclusion

The UNK_SneakyStrike campaign is a stark reminder that legitimate cybersecurity tools can be rapidly adapted into powerful weapons when they fall into the wrong hands. With cloud infrastructure now being the primary attack vector, defenders must embrace behavior-based analytics, tighten security awareness training, and proactively adapt to the abuse of red-team utilities. As tools like TeamFiltration proliferate, the divide between red and blue teams must be bridged with intelligence and speed.

Sources

Ouaissou DEMBELE
Ouaissou DEMBELEhttp://cybercory.com
Ouaissou DEMBELE is a seasoned cybersecurity expert with over 12 years of experience, specializing in purple teaming, governance, risk management, and compliance (GRC). He currently serves as Co-founder & Group CEO of Sainttly Group, a UAE-based conglomerate comprising Saintynet Cybersecurity, Cybercory.com, and CISO Paradise. At Saintynet, where he also acts as General Manager, Ouaissou leads the company’s cybersecurity vision—developing long-term strategies, ensuring regulatory compliance, and guiding clients in identifying and mitigating evolving threats. As CEO, his mission is to empower organizations with resilient, future-ready cybersecurity frameworks while driving innovation, trust, and strategic value across Sainttly Group’s divisions. Before founding Saintynet, Ouaissou held various consulting roles across the MEA region, collaborating with global organizations on security architecture, operations, and compliance programs. He is also an experienced speaker and trainer, frequently sharing his insights at industry conferences and professional events. Ouaissou holds and teaches multiple certifications, including CCNP Security, CEH, CISSP, CISM, CCSP, Security+, ITILv4, PMP, and ISO 27001, in addition to a Master’s Diploma in Network Security (2013). Through his deep expertise and leadership, Ouaissou plays a pivotal role at Cybercory.com as Editor-in-Chief, and remains a trusted advisor to organizations seeking to elevate their cybersecurity posture and resilience in an increasingly complex threat landscape.

Subscribe

- Never miss a story with notifications

- Gain full access to our premium content

- Browse free from up to 5 devices at once

Latest stories

spot_imgspot_imgspot_imgspot_img

LEAVE A REPLY

Please enter your comment!
Please enter your name here