Exploiting TeamFiltration – Hackers Breach Microsoft Services via Pentesting Framework

Security researchers at Proofpoint have uncovered a sophisticated, ongoing campaign tracked as UNK_SneakyStrike that has leveraged the TeamFiltration pentesting framework to compromise Microsoft Entra ID user accounts at scale.

Since December 2024, this campaign has targeted more than 80,000 user accounts across hundreds of organizations, resulting in multiple confirmed account takeovers (ATOs).

The attackers have exploited access to critical Microsoft resources such as Teams, OneDrive, and Outlook, demonstrating a dangerous blurring of lines between legitimate security tools and malicious exploitation.

Weaponizing a Pentesting Tool

TeamFiltration, initially developed by a security researcher and released publicly at DefCon30 in 2021, was designed to automate common tactics, techniques, and procedures (TTPs) used in modern ATO attack chains. Its capabilities are extensive:

• Account Enumeration: The tool uses a “sacrificial” Office 365 Business Basic account and the Microsoft Teams API to verify the existence of user accounts within a target environment. Recent updates have added OneDrive-based enumeration, further expanding its reach.
• Password Spraying: TeamFiltration systematically attempts to compromise accounts using common or algorithmically varied passwords, rotating through different AWS regions to evade detection.
• Data Exfiltration: Once access is gained, the tool enables attackers to extract emails, files, and other sensitive data.
• Persistence via OneDrive: By uploading malicious files to a victim’s OneDrive and replacing existing desktop files with lookalikes, attackers can establish persistent access and potentially enable lateral movement within the network.

The attackers behind UNK_SneakyStrike have exploited these features to their full potential, utilizing AWS infrastructure across multiple regions, primarily the United States (42%), Ireland (11%), and the United Kingdom (8%), to launch their attacks.

Each password spraying wave originates from a different server, making attribution and detection more challenging.

Campaign Tactics and Attribution

Proofpoint’s investigation revealed several unique indicators that allowed researchers to attribute activity to TeamFiltration:

• Distinctive User Agent: The default user agent associated with TeamFiltration is rarely observed in legitimate environments. Its appearance in logs correlated strongly with malicious activity.
• Spoofed Application Access: Researchers observed attempted access to specific sign-in applications from devices incompatible with those applications, indicating user agent spoofing and obfuscation.
• Client ID Anomalies: TeamFiltration’s configuration includes a list of client application IDs, some of which are incorrect (e.g., ‘Outlook’ and ‘OneNote’ IDs actually correspond to ‘Microsoft Office’ and ‘OneDrive SyncEngine’). These anomalies, likely due to an outdated snapshot from the Secureworks FOCI research repository, provided another strong indicator of attribution.

The campaign’s activity pattern is characterized by concentrated bursts of unauthorized access attempts, targeting all users in smaller tenants and a subset in larger ones, followed by quiet periods of 4–5 days.

This pattern, combined with the tool’s advanced target acquisition features, suggests a highly automated and scalable operation.

Defense and Detection Recommendations

To defend against such attacks, organizations should:

• Monitor authentication logs for the distinctive TeamFiltration user agent and known AWS IP addresses (e.g., 44.220.31.157, 44.206.7.122, 3.255.18.223).
• Implement conditional access policies to block legacy authentication and require multi-factor authentication (MFA).
• Audit sign-ins for mismatched device/application combinations and monitor for token reuse.
• Correlate behavioral analytics with threat intelligence to distinguish between legitimate penetration testing and real-world malicious activity.

The UNK_SneakyStrike campaign highlights the growing risk posed by the weaponization of legitimate security tools.

As threat actors increasingly adopt advanced frameworks like TeamFiltration, organizations must remain vigilant, leveraging both technical controls and behavioral analytics to protect their cloud environments.

Proofpoint anticipates that such attacks will continue to rise, underscoring the need for robust, adaptive security postures in the face of evolving threats.

IOCs

Indicator	Type	Description	First Seen
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Teams/1.3.00.30866 Chrome/80.0.3987.165 Electron/8.5.1 Safari/537.36	User Agent	Default user agent associated with TeamFiltration activity	–
44.220.31[.]157	IP Address	Source IP associated with UNK_SneakyStrike activity	04/01/2025
44.206.7[.]122	IP Address	Source IP associated with UNK_SneakyStrike activity	07/01/2025