Proofpoint has identified an active account takeover campaign targeting Microsoft Entra ID users and exploiting the TeamFiltration penetration testing framework.
The campaign, which Proofpoint has named UNK_SneakyStrike, has involved attackers gaining unauthorised access to native applications including Microsoft Teams, OneDrive, and Outlook. According to the company's research, since December 2024 this activity has impacted over 80,000 user accounts across hundreds of organisations, resulting in several instances of successful account takeover.
Attack methods
UNS_SneakyStrike deploys the TeamFiltration pentesting framework to carry out its attacks, leveraging the Microsoft Teams API and Amazon Web Services (AWS) servers in multiple geographical regions. The attackers execute user-enumeration and password-spraying attacks to identify and compromise target accounts.
TeamFiltration, which was first released in January 2021, is a post-exploitation tool originally designed for legitimate penetration testing and risk evaluation of Microsoft 365 environments. The tool automates a variety of tactics, techniques, and procedures (TTPs) associated with account takeover campaigns, including account enumeration, password spraying, and data exfiltration.
The attackers have exploited access to specific resources and applications with TeamFiltration's features for persistent access. These include "backdooring" via OneDrive, accomplished by uploading malicious files to a user's OneDrive and replacing desktop files with rogue versions, potentially containing malware or macros for ongoing access. Proofpoint noted, "TeamFiltration helps automate several tactics, techniques, and procedures (TTPs) used in modern ATO attack chains. As with many security tools that are originally created and released for legitimate uses, such as penetration testing and risk evaluation, TeamFiltration was also leveraged in malicious activity."
Identifying the activity
Proofpoint researchers analysed TeamFiltration's public GitHub documentation and configuration files to identify a rare user agent string — representing an outdated Teams client — being used during suspicious activity. This served as a key indicator for tracking unauthorised uses of the tool. They also observed attempts by attackers to access sign-in applications from devices incompatible with those services, suggesting the use of user agent spoofing as a means to disguise the source of the attacks.
Another indicator was the pattern of attempted access to a defined list of Microsoft OAuth client applications. The applications are capable of obtaining special "family refresh tokens," allowing attackers to exchange them for access tokens to exploit various native Microsoft applications.
Proofpoint found that TeamFiltration's most recent client ID list contained some inaccuracies, with incorrect mappings for 'Outlook' and 'OneNote'. Despite this, the tool's configuration closely aligned with a known family of client IDs published publicly by another cyber security research initiative.
AWS infrastructure and behaviour
TeamFiltration requires an AWS account to conduct its simulated attacks. Its password spraying function systematically rotates through different AWS Regions, and its enumeration features rely either on a disposable Microsoft 365 Business Basic account or, following recent updates, on a OneDrive-based method. Proofpoint stated, "TeamFiltration's enumeration function leverages the disposable account and the Microsoft Teams API to verify the existence of user accounts within a given Microsoft Entra ID environment before launching password spraying attempts. A recent update to the tool's code introduced a OneDrive-based enumeration method, enhancing its enumeration capabilities."
Attacks attributed to TeamFiltration have been observed originating from AWS infrastructure and rotating across multiple AWS regions, with password spraying attempts systematically spread for wider impact and to hinder detection.
Campaign analysis
Proofpoint began tracking a distinct activity set, UNK_SneakyStrike, after differentiating malicious use of TeamFiltration from legitimate penetration testing activity. The main difference was that attackers operated in indiscriminate, high-volume bursts across many cloud tenants, while security assessments tend to be more targeted and controlled.
Proofpoint threat researchers have recently uncovered an active account takeover (ATO) campaign, tracked as UNK_SneakyStrike, using the TeamFiltration pentesting framework to target Entra ID user accounts. Using a combination of unique characteristics, Proofpoint researchers were able to detect and track unauthorized activity attributed to TeamFiltration. According to Proofpoint findings, since December 2024 UNK_SneakyStrike activity has affected over 80,000 targeted user accounts across hundreds of organizations, resulting in several cases of successful account takeover. Attackers leverage Microsoft Teams API and Amazon Web Services (AWS) servers located in various geographical regions to launch user-enumeration and password-spraying attempts. Attackers exploited access to specific resources and native applications, such as Microsoft Teams, OneDrive, Outlook, and others.
The volume of login attempts linked to TeamFiltration saw a marked increase starting in December 2024, peaking in January 2025. Over 80,000 user accounts across approximately 100 cloud tenants were targeted, with multiple cases of account takeover observed.
Patterns and regional targeting
UNK_SneakyStrike activities typically occur in concentrated bursts, focusing on numerous users within a single cloud environment, and then pausing for periods of four to five days. The apparent strategy varies by organisation size: all users within smaller tenant environments are targeted, but only specific user subsets are selected among larger tenants.
The primary sources for malicious login activity were traced to AWS infrastructure in three regions: the United States (42% of IP addresses), Ireland (11%), and Great Britain (8%).
Tool risks and future outlook
Proofpoint noted that penetration testing tools such as TeamFiltration are intended to benefit defensive security operations, but acknowledged their potential for malicious use. "While tools such as TeamFiltration are designed to assist cyber security practitioners in testing and improving defense solutions, they can easily be weaponized by threat actors to compromise user accounts, exfiltrate sensitive data, and establish persistent footholds."
The company expects such advanced tools to become more common among attackers. "Proofpoint anticipates that threat actors will increasingly adopt advanced intrusion tools and platforms, such as TeamFiltration, as they pivot away from less effective intrusion methods."
Proofpoint has provided security indicators, including a list of observed IP addresses and user agent strings, to aid organisations in detecting potential unauthorised access related to this campaign. The company recommends correlating these indicators with additional context and behavioural analytics for accurate detections.
