New Account Takeover Campaign Leverages Pentesting Tool to Attack Entra ID User Accounts

A sophisticated account takeover campaign has emerged, exploiting a legitimate penetration testing framework to compromise Microsoft Entra ID environments across hundreds of organizations worldwide.

The malicious activity, which began intensifying in December 2024, demonstrates how cybercriminals are increasingly weaponizing security tools originally designed for defensive purposes.

The campaign leverages TeamFiltration, a publicly available pentesting framework created in January 2021 and released at DefCon30, to systematically target Office 365 Entra ID user accounts.

This tool, originally developed to help security professionals test cloud environment vulnerabilities, provides attackers with automated capabilities for password spraying, data exfiltration, and establishing persistent access through OneDrive backdoors.

Proofpoint researchers identified the malicious activity, now tracked as UNK_SneakyStrike, and determined that over 80,000 user accounts across approximately 100 cloud tenants have been targeted since the campaign’s escalation.

The threat actors operate through Amazon Web Services infrastructure spanning multiple geographical regions, with the United States, Ireland, and Great Britain representing the primary source locations for attack traffic.

The campaign’s methodology involves systematic user enumeration through the Microsoft Teams API, followed by coordinated password spraying attempts that rotate across different AWS regions to evade detection.

Successful account compromises enable attackers to access native Microsoft applications including Teams, OneDrive, and Outlook, potentially facilitating lateral movement and data theft.

Detection Through Technical Fingerprinting

The identification of UNK_SneakyStrike required sophisticated analysis of TeamFiltration’s technical signatures and behavioral patterns.

Proofpoint researchers discovered that the framework employs a distinctive user agent string that proved instrumental in tracking malicious activity:-

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Teams/1.3.00.30866 Chrome/80.0.3987.165 Electron/8.5.1 Safari/537.36

This outdated Microsoft Teams user agent rarely appears in legitimate environments, making it a reliable indicator of TeamFiltration usage.

Additionally, researchers identified suspicious sign-in attempts targeting specific application IDs pre-configured in TeamFiltration’s codebase, which correspond to Microsoft OAuth client applications capable of obtaining “family refresh tokens” from Entra ID.

These tokens can subsequently be exchanged for valid bearer tokens across multiple Microsoft services, amplifying the potential impact of successful compromises.

The campaign’s infrastructure requirements align perfectly with TeamFiltration’s specifications, necessitating both AWS accounts for password spraying operations and sacrificial Office 365 accounts with Microsoft 365 Business Basic licenses for enumeration functions.

Automate threat response with ANY.RUN’s TI Feeds—Enrich alerts and block malicious IPs across all endpoints -> Request full access