Researchers at Proofpoint have uncovered that attackers are increasingly exploiting the TeamFiltration pentesting framework to execute brute-force attacks on Microsoft Entra ID accounts, previously known as Azure AD. This alarming trend has resulted in over 80,000 user accounts being targeted across approximately 100 organizations.
The surge in malicious activity began in December 2024 and reached its peak in January 2025, primarily linked to an ongoing campaign termed UNK_SneakyStrike. TeamFiltration, which was first released in 2021 as a legitimate pentesting tool, has been repurposed by cybercriminals to carry out systematic login attempts on user accounts.
This framework allows attackers to identify valid accounts, utilize common passwords, exfiltrate sensitive data, and even upload malicious files to services like OneDrive. The attackers set up a valid Microsoft 365 user account with a Microsoft 365 Business Basic license, utilizing Microsoft Teams API and AWS servers to facilitate their operations.
Cybersecurity experts have noted that unauthorized access attempts tend to occur in concentrated bursts, followed by quiet periods lasting around four to five days. The strategy employed by UNK_SneakyStrike suggests a methodical approach to accessing user accounts, particularly within smaller organizations while focusing on a select few users in larger entities.
The consequences of a compromised Microsoft Entra ID account can be severe, especially if the account possesses high-level privileges. Attackers can exploit such access to reset passwords, modify security policies, disable multi-factor authentication, or erase audit logs, highlighting the need for robust security measures.
To mitigate the risk of account takeovers, organizations are advised to enforce strong, unique passwords and implement multi-factor authentication. Regular monitoring and reviewing of login activities, alongside the establishment of conditional access policies and identity protection measures, is essential. Furthermore, disabling unused accounts can prevent unauthorized access.
This development emphasizes the growing need for organizations to bolster their cybersecurity protocols to protect against increasingly sophisticated threats. By remaining vigilant and proactive, businesses can enhance their defenses and safeguard sensitive information against malicious actors.