Cybercriminals Use TeamFiltration Pentesting Framework to Breach Microsoft Teams, OneDrive, Outlook, and More
Proofpoint threat researchers have exposed an active account takeover (ATO) campaign, dubbed UNK_SneakyStrike, exploiting the TeamFiltration pentesting framework to target Microsoft Entra ID user accounts.
Since December 2024, this malicious operation has impacted over 80,000 user accounts across hundreds of organizations, achieving several successful breaches.
UNK_SneakyStrike Campaign
The attackers have weaponized TeamFiltration a tool originally designed for legitimate penetration testing and risk assessment to orchestrate large-scale user enumeration and password-spraying attacks.
By leveraging the Microsoft Teams API and Amazon Web Services (AWS) infrastructure across multiple regions, cybercriminals have gained unauthorized access to critical native applications such as Microsoft Teams, OneDrive, and Outlook, posing a significant threat to cloud security.
The TeamFiltration framework, first released publicly at DefCon30 in 2021, offers a suite of advanced capabilities that have made it a double-edged sword in the cybersecurity landscape.
It automates tactics like account enumeration to identify valid users, password spraying to compromise credentials, and data exfiltration to steal sensitive information such as emails and files.
Additionally, it facilitates persistent access through “backdooring” techniques, uploading malicious files to a target’s OneDrive to replace legitimate files with malware-laden lookalikes.
Sophisticated Account Takeover Tactics
Proofpoint researchers identified unique indicators of TeamFiltration misuse, including a distinctive, outdated Microsoft Teams user agent and suspicious access attempts to specific sign-in applications from incompatible devices, suggesting user agent spoofing to mask the origin of attacks.
Further analysis revealed that the tool targets a pre-configured list of Microsoft OAuth client application IDs to obtain “family refresh tokens,” which are then exploited for broader access across Entra ID environments.
The UNK_SneakyStrike campaign, peaking in January 2025, showcases a pattern of concentrated bursts of unauthorized access attempts, often targeting entire user bases in smaller cloud tenants while selectively focusing on subsets in larger ones.
These attacks, originating predominantly from AWS servers in the United States (42%), Ireland (11%), and Great Britain (8%), rotate across regions to evade detection.
Proofpoint distinguished this malicious activity from legitimate penetration testing by analyzing the indiscriminate, high-volume targeting patterns across multiple tenants.
The campaign’s reliance on a “sacrificial” Office 365 account with a Microsoft 365 Business Basic license for enumeration, combined with AWS infrastructure, underscores the sophistication of the operation.
As threat actors increasingly adopt advanced tools like TeamFiltration, Proofpoint warns of a shift away from less effective intrusion methods, urging organizations to bolster defenses with behavioral analytics and threat intelligence.
Indicators of Compromise (IOCs)
| Indicator | Type | Description | First Seen |
|---|---|---|---|
| Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Teams/1.3.00.30866 Chrome/80.0.3987.165 Electron/8.5.1 Safari/537.36 | User Agent | Default user agent associated with TeamFiltration activity | – |
| 44.220.31.157 | IP Address | Source IP associated with UNK_SneakyStrike activity | 04/01/2025 |
| 44.206.7.122 | IP Address | Source IP associated with UNK_SneakyStrike activity | 07/01/2025 |
| 3.255.18.223 | IP Address | Source IP associated with UNK_SneakyStrike activity | 28/02/2025 |
| 44.206.7.134 | IP Address | Source IP associated with UNK_SneakyStrike activity | 07/01/2025 |
| 44.212.180.197 | IP Address | Source IP associated with UNK_SneakyStrike activity | 05/01/2025 |
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates
Source link
