Hackers Exploit TeamFiltration Pentesting Framework to Access Microsoft Teams, OneDrive, Outlook, and Other Accounts

Threat researchers at Proofpoint have discovered an active account takeover (ATO) campaign that takes use of the TeamFiltration pentesting framework in a notable increase in cyberthreats directed against cloud-based collaboration platforms.

The campaign, tracked as UNK_SneakyStrike, has been ongoing since December 2024 and has targeted more than 80,000 user accounts across hundreds of organizations, resulting in numerous successful compromises of Microsoft Teams, OneDrive, Outlook, and other Microsoft Entra ID resources.

Surge in Account Takeover Campaigns

TeamFiltration, originally designed as a legitimate penetration testing tool, automates advanced tactics, techniques, and procedures (TTPs) for simulating attacks on Office 365 and Entra ID environments.

Its core capabilities include account enumeration, password spraying, data exfiltration, and persistent access via “backdooring” OneDrive accounts.

However, as with many dual-use tools, TeamFiltration’s features have been weaponized by malicious actors to facilitate unauthorized access and data theft.

Proofpoint’s investigation revealed that attackers are leveraging the Microsoft Teams API and Amazon Web Services (AWS) infrastructure distributed across multiple geographic regions to conduct large-scale user enumeration and password spraying attacks.

The attackers systematically rotate AWS regions, ensuring that each wave of password spraying attempts originates from a different server and location, complicating detection and response efforts.

UNK_SneakyStrike Targets Over 80,000 Entra ID

A critical discovery by Proofpoint researchers was the identification of a distinctive user agent string an outdated version of Microsoft Teams used by TeamFiltration.

This rare user agent, combined with access attempts to specific Microsoft OAuth client applications and user agent spoofing, served as a reliable indicator for detecting TeamFiltration-driven intrusions.

Further analysis linked these activities to a pre-configured list of Microsoft application IDs within TeamFiltration’s logic, which are exploited to obtain “family refresh tokens” and subsequently valid bearer tokens for unauthorized access.

The UNK_SneakyStrike campaign’s activity is characterized by highly concentrated bursts of unauthorized access attempts, often targeting all users within smaller cloud tenants and select users in larger environments.

These bursts are typically followed by quiet periods of four to five days. The attackers’ infrastructure is primarily based in the United States (42%), with significant activity also traced to Ireland (11%) and Great Britain (8%).

One of the technical challenges in this investigation was distinguishing between legitimate penetration testing and actual malicious activity.

Proofpoint achieved this by analyzing the distribution and velocity of targeting attempts, noting that malicious campaigns tend to be broader and less discriminating than controlled security assessments.

The campaign’s reliance on AWS infrastructure, combined with the use of “sacrificial” Office 365 accounts for enumeration, highlights the sophistication and adaptability of modern threat actors.

Notably, a recent update to TeamFiltration introduced a OneDrive-based enumeration method, further enhancing its capability to identify valid user accounts before launching attacks.

Proofpoint warns that as cybercriminals pivot away from traditional intrusion methods, the adoption of advanced frameworks like TeamFiltration for malicious purposes is expected to rise.

The dual-use nature of such tools underscores the urgent need for organizations to correlate technical indicators with behavioral analytics and threat intelligence to accurately detect and mitigate threats.

Indicators of Compromise (IOC)

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates