Proofpoint threat researchers have uncovered an ongoing account takeover campaign—UNK_SneakyStrike—actively exploiting the popular TeamFiltration pentesting tool to target Microsoft Entra ID users. Since December 2024, attackers have used legitimate cloud infrastructure and APIs to breach over 80,000 accounts globally. The abuse of pentesting frameworks in real-world intrusions marks a growing threat trend that enterprises must urgently address.
TeamFiltration, first released in January 2021 and showcased at DefCon 30, was originally designed for penetration testers to simulate cloud intrusions. Its advanced features-account enumeration, password spraying, persistent access via OneDrive, and data exfiltration-made it a go-to framework in legitimate security services.
However, by December 2024, Proofpoint researchers identified large-scale misuse of the tool in the wild. Attackers launched unauthorized access attempts against over 80,000 user accounts across 100+ Microsoft Entra ID tenants, using the tool’s native capabilities to evade detection and escalate access.
“This is a textbook example of dual-use tools being flipped by threat actors,” said Sherrod DeGrippo, Director of Threat Intelligence Strategy at Microsoft. “It highlights the importance of robust behavioral detection mechanisms.” [source: Proofpoint, 11 June 2025]
Cloud Infrastructure as a Launchpad
TeamFiltration leverages Amazon Web Services (AWS) to rotate attack origins across multiple regions. This strategy helps evade IP-based detection during password spraying and enumeration attacks. Proofpoint’s telemetry confirms attacker infrastructure was primarily hosted in:
- United States (42%)
- Ireland (11%)
- Great Britain (8%)
Each wave of attacks targeted Microsoft apps including Teams, Outlook, OneDrive, and OneNote, exploiting their OAuth refresh token mechanisms to persist access.
MEA Focus: Risk Amplification in Regulatory Hot Zones
Middle East and Africa in the Crosshairs
While Proofpoint did not explicitly break down affected regions, Microsoft 365 usage is widespread across MEA, especially among financial services and governmental agencies. According to regional cybersecurity regulations such as SAMA’s Cybersecurity Framework (Saudi Arabia) and South Africa’s POPIA, organizations are legally bound to report breaches and secure user credentials.
“Cloud account compromises violate compliance baselines set by most MEA national frameworks,” notes Faisal Al-Khashab, CISO at a major Gulf-based bank. “Continuous monitoring for tools like TeamFiltration must be prioritized.” [Interview, 10 June 2025]
Failure to detect unauthorized cloud access could trigger fines or loss of public trust, especially under GDPR (Europe) and NITDA NDPR (Nigeria) mandates.
Global Trends: Dual-Use Tools and Security Blind Spots
The Exploitation of Open-Source Pentesting Frameworks
TeamFiltration joins a growing list of pentesting tools like Cobalt Strike, Sliver, and Evilginx, which have been weaponized in attacks. Proofpoint warns that defenders must not rely solely on known threat actor IOCs but instead monitor behavioral anomalies, such as:
- Unusual login attempts from legacy Teams clients
- App ID mismatches in authentication logs
- Access attempts from incompatible device types
Such indicators are embedded into TeamFiltration’s logic, especially its reliance on spoofed user agents and sacrificial accounts (licensed but disposable identities).
MITRE ATT&CK & IOCs: Technical Mapping for SOC Teams
MITRE ATT&CK Mapping
- T1110.003: Brute Force – Password Spraying
- T1078: Valid Accounts
- T1021.002: Remote Services – SMB/OneDrive
- T1119: Automated Collection
- T1566.002: Spearphishing via Services (Teams)
- T1071.001: Application Layer Protocol – Web APIs
**Indicators of Compromise (IOCs)**
- **User Agent**: Mozilla/5.0 (Windows NT 10.0; Win64; x64)... Teams/1.3.00.30866
- **IPs**:
- 44.220.31[.]157 – First seen: 01 April 2025
- 44.206.7[.]122 – First seen: 07 January 2025
- 3.255.18[.]223 – First seen: 28 February 2025
Actionable Takeaways for Security Leaders and Defenders
- Block outdated Teams user agents in access policies to prevent TeamFiltration activity.
- Monitor AWS-origin IP activity targeting Entra ID tenants—especially in bursts.
- Disable legacy authentication protocols across all cloud services.
- Review sign-in logs for known TeamFiltration application IDs and mismatches.
- Deploy deception accounts to detect password-spraying behavior.
- Use conditional access policies that enforce MFA for all cloud users.
- Engage threat intelligence services that correlate behavior across regions.
- Regularly audit OAuth token usage and revoke suspicious refresh tokens.
- Train staff to recognize cloud-based social engineering tactics.
- Maintain updated blacklists of known malicious IPs and tools.
Conclusion
The UNK_SneakyStrike campaign is a stark reminder that legitimate cybersecurity tools can be rapidly adapted into powerful weapons when they fall into the wrong hands. With cloud infrastructure now being the primary attack vector, defenders must embrace behavior-based analytics, tighten security awareness training, and proactively adapt to the abuse of red-team utilities. As tools like TeamFiltration proliferate, the divide between red and blue teams must be bridged with intelligence and speed.
Sources
- Proofpoint Research Blog – 11 June 2025
- GitHub – TeamFiltration Tool
- Secureworks FOCI GitHub Repository
- Microsoft – OAuth 2.0 Authorization Grant Flow
- MITRE ATT&CK Framework
- SAMA Cybersecurity Framework
- South Africa POPIA
- NITDA Nigeria NDPR
- DefCon 30 Presentation on TeamFiltration
- Microsoft Security Blog – Refresh Tokens
