Full Report
Cybersecurity researchers have uncovered a new account takeover (ATO) campaign that leverages an open-source penetration testing framework called TeamFiltration to breach Microsoft Entra ID (formerly Azure Active Directory) user accounts. The activity, codenamed UNK_SneakyStrike by Proofpoint, has affected over 80,000 targeted user accounts across hundreds of organizations' cloud tenants since a
Analysis Summary
# Tool/Technique: TeamFiltration
## Overview
TeamFiltration is an open-source penetration testing framework, publicly released in August 2022, that has been observed being misused in large-scale account takeover (ATO) campaigns (codenamed UNK\_SneakyStrike by Proofpoint) targeting Microsoft Entra ID accounts. Its purpose is to enumerate, spray passwords against, exfiltrate data from, and backdoor Entra ID accounts.
## Technical Details
- Type: Tool (Penetration Testing Framework/Misused Utility)
- Platform: Microsoft Entra ID (Azure Active Directory), leverages AWS infrastructure.
- Capabilities: User enumeration, password spraying, data exfiltration, backdoor establishment via OneDrive malicious file uploads.
- First Seen: Publicly released in August 2022.
## MITRE ATT&CK Mapping
The observed activity primarily focuses on initial access and discovery against cloud identities:
- **T1595 - Active Scanning**
- T1595.002 - Password Spraying
- **T1087 - Account Discovery**
- T1087.004 - Cloud Accounts
- **T1110 - Brute Force**
- T1110.003 - Password Guessing
- **T1536 - Data from Information Repositories** (In context of exfiltration via OneDrive)
## Functionality
### Core Capabilities
- Facilitating password spraying against Microsoft 365 tenants.
- Enumerating user accounts within Entra ID.
- Exploiting access to native Microsoft applications like Teams, OneDrive, and Outlook after gaining identity access.
- Utilizing Microsoft Teams API and external AWS servers to launch attacks in a distributed manner, often shifting geographic locations for each spraying wave.
### Advanced Features
- Advanced target acquisition features designed to filter out "less desirable accounts," suggesting sophisticated account selection logic.
- Establishing persistence by uploading malicious files to the target's Microsoft OneDrive account.
- Operations are often conducted in "highly concentrated bursts" targeting users, followed by lulls, indicating tailored operational tempo.
## Indicators of Compromise
*Note: As TeamFiltration is a framework, IOCs are generally associated with the abuse campaigns, not the tool itself.*
- File Hashes: [Not provided in context]
- File Names: [Not provided in context]
- Registry Keys: [Not provided in context]
- Network Indicators: Attacks originate from multiple AWS servers globally; primary source geographies observed include the United States (42%), Ireland (11%), and Great Britain (8%) (Defanged: `usa-aws`, `ireland-aws`, `uk-aws`).
- Behavioral Indicators: High volume user enumeration and password spraying attempts against Entra ID/Microsoft 365, often originating from different geographic locations in bursts.
## Associated Threat Actors
The reported campaign leveraging TeamFiltration is codenamed **UNK\_SneakyStrike** by Proofpoint. Specific named threat actor groups are **not** explicitly mentioned in the provided context, only the campaign name.
## Detection Methods
- Signature-based detection: [Not detailed, but signature creation for specific patterns of password spraying activity targeting M365 APIs would be applicable.]
- Behavioral detection: Monitoring for high-volume, multi-source (AWS IPs) password spraying directed at Entra ID authentications, especially if targeting specific user subsets based on acquisition features.
- YARA rules: [Not provided in context]
## Mitigation Strategies
- Prevention measures: Implementing strong multi-factor authentication (MFA) across all Microsoft Entra ID accounts.
- Hardening recommendations: Validating Entra ID application access permissions, especially for native applications and APIs used by the tool (e.g., Teams API). Monitoring and restricting access from known compromised or suspicious AWS originating IPs if possible. Implementing identity-based anomaly detection.
## Related Tools/Techniques
- Other open-source tools used for cloud enumeration or credential stuffing/spraying against cloud identity providers.
- Frameworks designed for cross-platform cloud penetration testing.