Listen to this Post
Introduction:
A newly discovered cyber campaign has rattled the cybersecurity community, as hackers leveraged a powerful penetration testing tool, TeamFiltration, to target tens of thousands of Microsoft Entra ID accounts globally. Researchers from Proofpoint have uncovered a persistent and well-coordinated attack attributed to an actor they dubbed UNK_SneakyStrike. The campaign, which began in December 2024, highlights a growing trend of abusing legitimate red-team frameworks for malicious purposes. With the scale and precision of these attacks, organizations using Microsoftās identity infrastructure are now facing a stark wake-up call.
Main Story:
Hackers have exploited the TeamFiltration framework to launch a massive cyber offensive on Microsoft Entra ID accounts, compromising digital identities at an alarming scale. According to cybersecurity firm Proofpoint, the threat actorālabeled UNK_SneakyStrikeābegan targeting user accounts in December 2024, orchestrating a series of attacks that impacted more than 80,000 users across hundreds of organizations worldwide. TeamFiltration, originally developed in 2022 by red team researcher Melvin Langvik, is designed to test the resilience of Office 365 environments. However, in this malicious campaign, it was weaponized to probe, exploit, and potentially hijack real corporate accounts.
The attack peaked on January 8, 2025, when 16,500 accounts were targeted in a single day. This was followed by strategic pauses, indicating deliberate, planned operations rather than random spraying. Smaller organizations were entirely targeted, while larger enterprises saw selective targeting within specific user groups, hinting at a tailored approach. TeamFiltrationās presence was identified through unique user agent strings and OAuth client IDs embedded within its codebase. The attackers even incorporated an outdated version of Secureworksā FOCI project, revealing traces of previously used public security tools.
To execute these attacks, the adversaries utilized AWS infrastructure across various regions. A decoy Office 365 account with a basic license served as a proxy to abuse Microsoft Teams APIs, allowing for stealthy enumeration of user accounts. The bulk of the attack traffic originated from U.S. IP addresses (42%), with notable volumes from Ireland (11%) and the United Kingdom (8%).
Proofpoint advises organizations to take immediate action by blocking IPs listed in their indicators of compromise (IOCs), applying detection for known TeamFiltration user agents, and strengthening their identity protection strategies. Essential measures include enforcing multi-factor authentication (MFA), enabling OAuth 2.0 safeguards, and implementing conditional access policies within Microsoft Entra ID environments.
What Undercode Say:
The repurposing of TeamFiltration by UNK_SneakyStrike is a classic example of how offensive security tools, while essential for legitimate penetration testing, can become double-edged swords. Originally intended to help organizations find and fix vulnerabilities, TeamFiltration is now being manipulated to exploit those same weak points, blurring the lines between red teaming and active exploitation.
The campaignās scopeāimpacting over 80,000 usersāis staggering. The attackerās ability to scale this operation across numerous organizations reflects a mature understanding of cloud identity systems and their vulnerabilities. What makes this incident more concerning is the tactical variation observed: indiscriminate spraying in smaller companies, but precision targeting in larger ones. This dual-mode strategy suggests a careful reconnaissance phase prior to execution, with attackers likely harvesting information from publicly available sources or prior breaches.
Furthermore, the infrastructure used demonstrates a savvy approach to evasion. AWS servers provided flexibility and global distribution, while the use of sacrificial accounts to leverage Microsoft Teams API reveals deep product knowledge. This isn’t the work of script kiddies or opportunistic hackersāitās a methodical campaign.
From a defensive standpoint, the identification of TeamFiltrationās digital fingerprintsālike its OAuth client IDs and unique user agent stringsāprovides a key advantage. These artifacts give defenders a concrete basis for building threat detection rules. Yet, the fact that attackers embedded outdated open-source material like FOCI underscores a deeper issue: legacy tools and abandoned projects still pose significant risks when not properly deprecated or monitored.
The
The recommended countermeasuresāenforcing MFA, leveraging conditional access policies, and scrutinizing network trafficāare critical, but not foolproof. These must be part of a larger, layered defense strategy that includes behavioral analytics, anomaly detection, and continuous threat intelligence integration.
In the long run, enterprises must start treating red team tools as potential threat vectors. This requires better tooling to monitor for their misuse, education for security teams about these risks, and tighter controls on API accessāparticularly for third-party tools.
The takeaway is clear: even legitimate tools can become cyberweapons in the wrong hands. Organizations must stay vigilant, not only against malware and ransomware, but also against the silent, stealthy manipulation of tools designed to protect them.
Fact Checker Results:
ā
TeamFiltration was originally published in 2022 by Melvin Langvik
ā
Over 80,000 accounts were targeted in the campaign starting December 2024
ā
Proofpoint linked the activity to the tool via rare OAuth client IDs and user agent strings
Prediction:
š® Expect more malicious actors to adopt and repurpose red-team frameworks for live attacks in 2025
š® Microsoft and other cloud providers will likely enhance detection for tools like TeamFiltration in upcoming security updates
š® Identity security will become the new battleground, with growing demand for AI-driven anomaly detection and behavioral authentication systems
References:
Reported By: www.bleepingcomputer.com
Extra Source Hub:
https://www.reddit.com/r/AskReddit
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
