- Hackers are abusing a legitimate tool to target Entra ID accounts
- The password spraying attack targeted some 80,000 accounts
- Attackers managed to take over some accounts, accessing Microsoft Teams, OneDrive, Outlook data
Cybercriminals have been spotted abusing a legitimate penetration testing tool to target people’s Entra ID user accounts with password-spraying attacks, experts hgave warned.
In an in-depth analysis shared with TechRadar Pro, cybersecurity researchers from Proofpoint claimed tens of thousands of accounts were targeted, and a few were compromised.
The researchers said unnamed threat actors engaged in a large-scale attack they dubbed UNK_SneakyStrike.
“Several” accounts compromised
In this campaign, the attackers used a legitimate pentesting tool called TeamFiltration.
This tool was created by a threat researcher in early 2021 and publicly released at DefCon30. It helps automate several tactics, techniques, and procedures (TTPs) used in modern ATO attack chains.
“As with many security tools that are originally created and released for legitimate uses, such as penetration testing and risk evaluation, TeamFiltration was also leveraged in malicious activity,” Proofpoint explained.
The researchers said the campaign most likely started in December 2024. By abusing Microsoft Teams API and Amazon Web Services (AWS) servers located around the world, they were able to launch user-enumeration and password-spraying attacks, targeting some 80,000 user accounts across roughly 100 cloud tenants.
The three primary source geographies from which the attacks originated include the United States (42%), Ireland (11%), and Great Britain (8%).
Proofpoint said that in “several cases”, the attackers managed to take over the accounts, accessing valuable information in Microsoft Teams, OneDrive, Outlook, and other productivity tools.
There was no attribution, so we don’t know if any organized threat actor sits behind this campaign. The researchers focused mostly on the use of legitimate tools for illegitimate purposes, saying they can “easily be weaponized” in an attempt to compromise user accounts, exfiltrate sensitive data, and establish persistent footholds.
“Proofpoint anticipates that threat actors will increasingly adopt advanced intrusion tools and platforms, such as TeamFiltration, as they pivot away from less effective intrusion methods.”
