TeamFiltration Pentesting Tool Weaponized to Hijack Microsoft Teams, Outlook, and Other Accounts

A sophisticated cyberattack campaign has weaponized a legitimate penetration testing framework to compromise thousands of Microsoft cloud accounts across hundreds of organizations worldwide.

The malicious operation, designated UNK_SneakyStrike, leverages TeamFiltration, a popular cybersecurity tool originally designed for Office 365 security assessments, to conduct large-scale account takeover attacks targeting Microsoft Teams, OneDrive, Outlook, and other enterprise applications.

TeamFiltration emerged in January 2021 as a robust framework created by threat researchers and publicly released at DefCon30.

The tool was originally intended to help security professionals simulate intrusions against cloud environments, offering capabilities for Office 365 Entra ID account takeover, data exfiltration, and persistent access establishment.

However, like many dual-use security tools, TeamFiltration has now been repurposed by cybercriminals to conduct unauthorized attacks against legitimate organizations.

The UNK_SneakyStrike campaign began its operations in December 2024, with activity peaking in January 2025.

Proofpoint researchers identified the malicious use of TeamFiltration through careful analysis of the tool’s distinctive characteristics and attack patterns.

Since the campaign’s inception, threat actors have targeted over 80,000 user accounts across roughly 100 cloud tenants, resulting in multiple successful account compromises.

The attackers exploit TeamFiltration’s advanced capabilities to conduct systematic user enumeration and password spraying attacks.

The framework utilizes Microsoft Teams API and Amazon Web Services infrastructure deployed across multiple geographical regions, with the majority of malicious traffic originating from the United States (42%), Ireland (11%), and Great Britain (8%).

This distributed approach helps attackers evade detection while maintaining operational resilience.

Infection Mechanism and Technical Implementation

The technical sophistication of UNK_SneakyStrike lies in its exploitation of Microsoft’s OAuth client application ecosystem.

TeamFiltration targets specific client applications that belong to Microsoft’s “family refresh token” group, enabling attackers to obtain special authentication tokens that can be exchanged across multiple Microsoft services.

The framework’s configuration reveals a predefined list of target applications:-

var clientIdList = new List{
("1fec8e78-bce4-4aaf-ab1b-5451cc387264", "Microsoft Teams"),
("04b07795-8ddb-461a-bbee-02f9e1bf7b46", "Microsoft Azure CLI"),
("ab9b8c07-8f02-4f72-87fa-80105867a763", "OneDrive SyncEngine"),
("d3590ed6-52b3-4102-aeff-aad2292ab01c", "Microsoft Office")
};

Proofpoint analysts noted that attackers maintain persistence through a “backdooring” technique via OneDrive, uploading malicious files to target environments and replacing legitimate desktop files with malware-laden lookalikes.

The campaign’s attack pattern involves highly concentrated bursts targeting multiple users within single cloud environments, followed by dormant periods lasting four to five days.

This tactical approach, combined with systematic AWS region rotation, demonstrates the threat actors’ sophisticated understanding of detection evasion techniques and infrastructure management.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now