News
Widespread Entra ID Account Takeover Campaign Detected Using Open Source Tool
Security researchers at Calif.-based Proofpoint have uncovered a large-scale account takeover campaign aimed at Microsoft Entra ID environments. The attackers are using TeamFiltration, an open source penetration testing tool, to automate their efforts.
Proofpoint reported that more than 80,000 user accounts across 100 Microsoft cloud tenants have been targeted since 2024. The campaign, which the company has named “UNK_SneakyStrike,” uses techniques like password spraying and automated login attempts to gain access. Once in, the attackers abuse stolen OAuth tokens and Microsoft APIs tied to services like Teams, Outlook, OneDrive and OneNote.
Originally introduced at DefCon 30 in 2021 by researcher “Flangvik,” TeamFiltration is designed to streamline tasks such as finding user accounts, stealing data and maintaining long-term access. It specifically targets Microsoft cloud services by exploiting OAuth refresh tokens tied to widely used Microsoft client IDs. Proofpoint found that the attackers use Amazon Web Services (AWS) infrastructure to launch their attacks, often rotating between regions such as the U.S., Ireland and the U.K. to avoid detection.
Researchers tracked the campaign by identifying outdated Teams user agent strings, suspicious OAuth app IDs and malicious traffic coming from AWS IP addresses. The attacks typically happen in waves -- fully targeting smaller organizations, selectively hitting larger ones -- and then pauses after four to five days. This stop-and-start pattern matches the built-in behavior of the TeamFiltration tool.
"UNK_SneakyStrike's targeting strategy suggests they attempt to access all user accounts within smaller cloud tenants while focusing only on a subset of users in larger tenants," read the Proofpoint report. "This behavior matches the tool's advanced target acquisition features, designed to filter out less desirable accounts."
Proofpoint noted that once attackers take over accounts, they can reset critical policies, exfiltrate sensitive data, plant malware via OneDrive, and disable logs—potentially Breaching entire tenant compliance
Along with sheading light on the attack campaign, the security firm also provided some recommendations on how IT can protect end users. They include:
- Enforcing phishing‑resistant multifactor authentication (e.g. FIDO2 or certificate‑based MFA).
- Audit OAuth consent and refresh‑token privileges tied to Microsoft 365 apps.
- Monitor unusual Teams API traffic or legacy user‑agent patterns.
- Block or segment AWS IP addresses not typically used for legitimate connections.
- Disable or clean up stale Azure/Entra ID accounts and ensure rapid deprovisioning.
Enterprises should treat TeamFiltration like any potent red‑team tool: assume threat actors will adopt or modify it. Beyond traditional hardening, organizations should lean on identity‑protection services, behavioral‑analytics platforms and vulnerability feeds to detect abuse of refresh‑token families, said Proofpoint.