Threat Actor Abuses TeamFiltration for Entra ID Account Takeovers - Dark Reading

Сloud SecurityIdentity & Access Management SecurityCyberattacks & Data BreachesThreat IntelligenceNewsThreat Actor Abuses TeamFiltration for Entra ID Account TakeoversResearchers discovered a large-scale campaign using the open source penetration-testing framework that has targeted more than 80,000 Microsoft accounts.Rob Wright,Senior News Director,Dark ReadingJune 13, 20253 Min ReadSource: dennizn via Alamy Stock PhotoA single threat has triggered an alarming rise in the abuse of TeamFiltration, an open source penetration-testing framework designed to compromise Microsoft Entra ID accounts.According to new research from Proofpoint, an active account takeover (ATO) campaign that was first observed in December has targeted 80,000 user accounts across approximately 100 cloud tenants. The campaign, which Proofpoint researchers named "UNK_SneakyStrike," leverages the TeamFiltration framework to conduct enumeration and password-spraying attacks.The framework, which was developed by security researcher Melvin Langvik and launched at DEFCON 30, also includes features for data exfiltration and establishing persistent access to accounts through look-alike files in OneDrive that serve as backdoors.Proofpoint researchers said they observed "several cases" of successful ATO attacks through UNK_SneakyStrike, which is believed to be the work of a single threat actor.Related:Native Launches With Security Control Plane for MulticloudHow TeamFiltration Attacks WorkTeamFiltration takes advantage of several aspects of Microsoft's technical architectures, including Teams APIs and OAuth implementations for single sign-on. The framework automates enumeration and password spraying by validating user accounts in a targeted environment through the Teams API and generating password attempts through a rotation of unique IP addresses.The researchers explained that TeamFiltration requires an AWS account by default to initiate the password-spraying function. "These attempts systematically rotate AWS Regions, ensuring each password spraying wave originates from a different server in a new geographic location," they wrote.Once TeamFiltration obtains a valid password for an account, the framework attempts to exploit any gaps in conditional access policies in the target network. For example, Langvik explained in his DEFCON 30 presentation that during a penetration test against a customer in 2020, he found that a compromised Microsoft account had multifactor authentication (MFA) on all applications except Teams. The misconfiguration in the conditional access policy was enough to give Langvik a foot in the door.Additionally, TeamFiltration is designed to take advantage of what SecureWorks researchers first described as "family refresh tokens" (FRTs) in Microsoft's OAuth implementation. If an attacker obtains access to an application with an FRT, they can use it to mint access tokens for all the applications within that family of Client IDs in Microsoft Entra (formerly Azure Active Directory).Related:Post-Quantum Web Could be Safer, FasterFrom there, the framework automates exfiltration of data from the compromised accounts, which Langvik said is "the bread and butter" of TeamFiltration. For a compromised Teams account, for example, the framework will pull all chat logs, attachments, and contacts automatically, he said during the DEFCON 30 presentation.Rise in TeamFiltration AbuseProofpoint researchers said the UNK_SneakyStrike attacks began in December 2024 and peaked in January. The recent surge in TeamFiltration activity, according to the company, was driven by the ATO campaign; unless legitimate usage of the penetration testing framework, the activity showed broad and indiscriminate targeting highlighted by "highly concentrated bursts" of attempted logins."UNK_SneakyStrike's targeting strategy suggests they attempt to access all user accounts within smaller cloud tenants while focusing only on a subset of users in larger tenants. This behavior matches the tool's advanced target acquisition features, designed to filter out less desirable accounts," the researchers wrote.In a statement to Dark Reading, Proofpoint's threat researchers said that while other actors may be abusing TeamFiltration at smaller scales, the surge in activity stems from UNK_SneakyStrike. They also anticipate that threat actors will increase their usage of advanced intrusion tools and penetration testing platforms like TeamFiltration.Related:Most Google Cloud Attacks Start With Bug Exploitation"TeamFiltration's advantage in cloud attacks is its ability to operate through legitimate services and APIs, enabling stealthy, persistent access," the threat researchers said in the statement. "While it might require valid credentials and sometimes cloud access (like an AWS or Azure account), its cloud-native design lets attackers blend in with normal user activity, making detection harder compared to traditional pentesting tools."Proofpoint recommends that organizations review the indicators of compromise for UNK_SneakyStrike with additional input from behavioral analytics and other threat intelligence sources. To prevent ATO attacks, organizations should implement MFA for all accounts and applications and review access policies to identify and remediate any gaps that could be exploited by threat actors.About the AuthorRob WrightSenior News Director, Dark ReadingRob Wright is a longtime reporter with more than 25 years of experience as a technology journalist. Prior to joining Dark Reading as senior news director, he spent more than a decade at TechTarget's SearchSecurity in various roles, including senior news director, executive editor and editorial director. Before that, he worked for several years at CRN, Tom's Hardware Guide, and VARBusiness Magazine covering a variety of technology beats and trends. Prior to becoming a technology journalist in 2000, he worked as a weekly and daily newspaper reporter in Virginia, where he won three Virginia Press Association awards in 1998 and 1999. He graduated from the University of Richmond in 1997 with a degree in journalism and English. A native of Massachusetts, he lives in the Boston area. See more from Rob WrightWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsFrost Radar™: Non-human Identity Solutions2026 CISO AI Risk ReportThe ROI of AI in SecurityCybersecurity Forecast 2026ThreatLabz 2025 Ransomware ReportAccess More ResearchWebinarsBuilding a Robust SOC in a Post-AI WorldRetail Security: Protecting Customer Data and Payment SystemsRethinking SSE: When Unified SASE Delivers the Flexibility Enterprises NeedSecuring Remote and Hybrid Work Forecast: Beyond the VPNAI-Powered Threat Detection: Beyond Traditional Security ModelsMore WebinarsEditor's ChoiceCybersecurity OperationsWhy Stryker's Outage Is a Disaster Recovery Wake-Up CallWhy Stryker's Outage Is a Disaster Recovery Wake-Up CallbyJai VijayanMar 12, 20265 Min ReadWant more Dark Reading stories in your Google search results?2026 Security Trends & OutlooksThreat IntelligenceCybersecurity Predictions for 2026: Navigating the Future of Digital ThreatsJan 2, 2026Cyber RiskNavigating Privacy and Cybersecurity Laws in 2026 Will Prove DifficultJan 12, 2026|7 Min ReadEndpoint SecurityCISOs Face a Tighter Insurance Market in 2026Jan 5, 2026|7 Min ReadThreat Intelligence2026: The Year Agentic AI Becomes the Attack-Surface Poster ChildJan 30, 2026|8 Min ReadDownload the CollectionKeep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeWebinarsBuilding a Robust SOC in a Post-AI WorldThurs, March 19, 2026 at 1pm ESTRetail Security: Protecting Customer Data and Payment SystemsThurs, April 2, 2026 at 1pm ESTRethinking SSE: When Unified SASE Delivers the Flexibility Enterprises NeedWed, April 1, 2026 at 1pm ESTSecuring Remote and Hybrid Work Forecast: Beyond the VPNTues, March 10, 2026 at 1pm ESTAI-Powered Threat Detection: Beyond Traditional Security ModelsWed, March 25, 2026 at 1pm ESTMore WebinarsWhite PapersAutonomous Pentesting at Machine Speed, Without False PositivesFixing Organizations' Identity Security PostureBest practices for incident response planningIndustry Report: AI, SOC, and Modernizing CybersecurityThe Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks.Explore More White PapersGISEC GLOBAL 2026GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills.📌 Book Your Space