A new wave of cyberattacks has hit the corporate world, targeting more than 80,000 Microsoft Entra ID accounts. These attacks were uncovered by cybersecurity experts at Proofpoint, who linked the campaign to a tool called TeamFiltration. This tool is actually an open-source framework originally created for penetration testing but is now being misused by cybercriminals.
The campaign, referred to as UNK_SneakyStrike, started back in December 2024. It’s not just a one-time event but a series of ongoing attacks aimed at breaching corporate Microsoft accounts. The hackers used a technique known as password spraying, where they try common passwords across many user accounts. Since many people still use weak or repeated passwords, this method can be very effective if security measures like multi-factor authentication are not in place.
What makes this campaign dangerous is the scale and strategy behind it. The attackers didn’t just hit one company, they targeted hundreds of organizations. These attacks came in waves, and each wave was launched from a different Amazon Web Services (AWS) IP address, making it harder to detect a consistent pattern. This method also helps the hackers stay under the radar by avoiding rate-limiting or blocking mechanisms.
Once the attackers successfully logged in, they used legitimate Microsoft APIs, especially the Microsoft Teams API, to move further into the system. By doing this, they could gather details about other users in the organization and gain access to apps like Teams, Outlook, OneDrive, and SharePoint. Since they used built-in tools, it was harder for security teams to recognize the activity as malicious.
The tool at the center of this attack, TeamFiltration, was developed by Melvin Langvik (also known as Flangvik). It was first released to the public in August 2022 at the DEF CON hacking conference. Although it was created for ethical hacking and red teaming, cybercriminals have now started using it for real-world attacks. The tool has many features, such as user enumeration, password spraying, token extraction, and even the ability to steal files from cloud services.
TeamFiltration works in two parts: a Python-based agent and a C# payload. Together, they allow attackers to gain deep access to Microsoft 365 environments. After getting inside, they can exfiltrate data, create backdoors, and persist in the system for long periods without being detected.The real problem here is how easy it is for attackers to use this tool. Since TeamFiltration is open-source and publicly available on GitHub, anyone with basic technical knowledge can start using it. This lowers the entry barrier for hackers and increases the risk for organizations that rely on Microsoft’s identity platform.
So, what should companies do to protect themselves? Security experts strongly recommend enforcing multi-factor authentication (MFA) on all accounts, especially methods that are resistant to phishing like FIDO2 keys. Companies should also create conditional access policies that block suspicious login attempts based on factors like location, device health, or unusual behavior.In addition, organizations should monitor account activities closely. Signs like multiple login attempts, access from unfamiliar locations, or new device registrations could indicate that something is wrong. Logging and alerting are crucial for detecting attacks before they cause serious damage.
To sum it up, this campaign shows how dangerous even well-intentioned tools can become when they fall into the wrong hands. With over 80,000 accounts already affected, it’s a serious reminder for all companies to step up their cybersecurity practices. Tools like TeamFiltration aren’t going away anytime soon, so prevention and quick detection are the best defenses we have right now.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
