Massive Microsoft Entra ID Account Takeover Campaign Targets 80,000+ Users with Pentesting Tool

A sophisticated account takeover campaign has emerged, leveraging the open-source penetration testing framework TeamFiltration to systematically breach Microsoft Entra ID environments. Security researchers from Proofpoint have identified this ongoing operation, dubbed UNK_SneakyStrike, which has successfully targeted over 80,000 user accounts across hundreds of organizations since December 2024.

 Description of the Attack

TeamFiltration is a cross-platform penetration testing framework originally developed by security researcher Melvin “Flangvik” Langvik and publicly released at the DEF CON security conference in August 2022. The tool was designed for legitimate red team operations to help security professionals test the resilience of Microsoft 365 and Azure AD environments against account takeover scenarios.

However, threat actors have weaponized this publicly available tool to conduct large-scale password spraying attacks against Microsoft Entra ID accounts. The framework provides comprehensive capabilities for enumerating user accounts, conducting password spray attacks, exfiltrating data, and establishing persistent access through malicious OneDrive backdoors.

(Execution flow of TeamFiltration, as displayed on GitHub – Source: TeamFiltration )

 Severity of the Issue

This campaign represents a critical security threat with widespread implications. Since December 2024, the operation has escalated dramatically, reaching its peak in early January 2025 when attackers targeted 16,500 accounts in a single day. The scale and persistence of these attacks demonstrate a significant evolution in automated account takeover campaigns, affecting organizations of all sizes across multiple industries.

The severity is amplified by the tool’s legitimate origins, which allows malicious activity to blend in with normal security testing operations, making detection and attribution more challenging for security teams.

 How the Attack is Exploited

The UNK_SneakyStrike campaign employs a sophisticated multi-stage approach leveraging TeamFiltration’s automated capabilities:

Account Enumeration: Attackers begin by using the Microsoft Teams API through a “sacrificial” Office 365 account with a Microsoft 365 Business Basic license to verify the existence of user accounts within target organizations. This enumeration phase allows them to build comprehensive lists of valid targets without triggering immediate security alerts.

Password Spraying Operations: The framework conducts systematic password spraying attacks using common passwords against the enumerated accounts. These attacks rotate across different Amazon Web Services (AWS) servers in multiple geographic regions to evade detection and IP-based blocking mechanisms.

Infrastructure Rotation: Each password spraying wave originates from different AWS servers in new geographic locations, with the primary attack sources distributed across the United States (42%), Ireland (11%), and Great Britain (8%). This geographic distribution makes traditional IP-based defenses less effective.

OAuth Token Exploitation: Upon successful authentication, the tool targets specific Microsoft OAuth client applications to obtain “family refresh tokens” from Entra ID. These tokens can subsequently be exchanged for valid bearer tokens across multiple Microsoft services, amplifying the potential impact of successful compromises.

Persistent Access: TeamFiltration establishes backdoors by uploading malicious files to compromised users’ OneDrive accounts and replacing legitimate desktop files with malicious versions containing macros or malware for ongoing access.

(Code Displaying a List of Client application IDs Used in Targeting – Source: TeamFiltration)

 Who is Behind the Issue

The threat actor conducting this campaign has been designated UNK_SneakyStrike by Proofpoint researchers. While the specific identity of the operator remains unknown, the sophisticated nature of the operation suggests an experienced cybercriminal or group with significant cloud infrastructure resources and technical expertise.

The campaign’s methodology indicates the attacker has intimate knowledge of Microsoft 365 security mechanisms and the capabilities of the TeamFiltration framework. The systematic approach to geographic rotation and timing suggests a well-resourced operation focused on evading detection while maximizing the scale of compromise.

 Who is at Risk

Organizations of all sizes using Microsoft Entra ID are potential targets, but the campaign shows distinct targeting patterns based on organizational size. For smaller tenants, attackers attempt to compromise all user accounts, while larger organizations see more selective targeting of specific user subsets.

Particularly vulnerable organizations include those with:

• Weak password policies allowing common passwords
• Inconsistent multi-factor authentication implementation
• Limited monitoring of non-interactive sign-in attempts
• Inadequate conditional access policies
• Reliance on legacy authentication protocols

The campaign specifically targets native Microsoft applications including Teams, OneDrive, and Outlook, making any organization heavily dependent on the Microsoft 365 ecosystem a potential victim.

 Remediation Strategies

Organizations should implement immediate defensive measures to protect against this ongoing threat:

Multi-Factor Authentication: Enable MFA for all user accounts across the organization. This represents the most effective single control against account takeover attempts.

OAuth 2.0 Enforcement: Implement modern authentication protocols and disable legacy authentication methods that bypass MFA protections.

Conditional Access Policies: Deploy comprehensive conditional access rules that restrict sign-in attempts based on location, device trust status, and user risk levels.

Password Policy Enhancement: Implement strong password policies and consider deploying password protection solutions that block common passwords used in spray attacks.

Monitoring and Detection: Establish detection rules for the specific TeamFiltration user agent string: “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Teams/1.3.00.30866 Chrome/80.0.3987.165 Electron/8.5.1 Safari/537.36”

IP Address Blocking: Block known malicious IP addresses associated with the campaign and monitor for suspicious sign-in patterns from AWS IP ranges.

Sign-in Log Analysis: Implement comprehensive monitoring of both interactive and non-interactive sign-in attempts, looking for unusual patterns of failed authentication attempts.

 How CinchOps Can Help

At CinchOps, our decades of experience in enterprise IT security uniquely position us to protect your organization from sophisticated account takeover campaigns like UNK_SneakyStrike. We understand that modern threats require comprehensive, layered security approaches that go beyond traditional perimeter defenses.

Our managed IT security services provide:

• Advanced Identity Protection: Implementation and management of robust multi-factor authentication systems, conditional access policies, and identity governance frameworks specifically designed for Microsoft 365 environments
• 24/7 Security Monitoring: Continuous monitoring of your Microsoft Entra ID sign-in logs and authentication patterns, with real-time detection of suspicious activities and automated response capabilities
• Cloud Security Assessment: Comprehensive evaluation of your current Microsoft 365 security posture, identifying vulnerabilities and implementing hardening measures against password spray attacks
• Incident Response Planning: Development and testing of incident response procedures specifically tailored to account takeover scenarios, ensuring rapid containment and recovery
• Security Awareness Training: Regular training programs to educate your staff about password security, phishing attempts, and social engineering tactics used by threat actors
• Managed Security Services: End-to-end management of your cybersecurity infrastructure, including deployment and maintenance of advanced threat detection systems

Don’t let your organization become the next victim of sophisticated account takeover campaigns. CinchOps has the knowledge and tools necessary to implement comprehensive defenses against evolving threats like the TeamFiltration attacks. Contact CinchOps today to schedule a security assessment and learn how we can strengthen your organization’s defenses against modern cyber threats.

 Discover More 

Discover more about our enterprise-grade and business protecting cybersecurity services: CinchOps Cybersecurity
Discover related topics: Microsoft’s May 2025 Update Creates System Boot Failures for Windows 11 Users
For Additional Information on this topic:  Over 80,000 Microsoft Entra ID Accounts Targeted Using Open-Source TeamFiltration Tool

FREE CYBERSECURITY ASSESSMENT