Full Report
Hackers have been using the TeamFiltration pentesting framework to target more than 80,000 Microsoft Entra ID accounts at hundreds of organizations worldwide. [...]
Analysis Summary
# Incident Report: Mass Password Spraying Against Microsoft Entra ID
## Executive Summary
Threat actors, linked to the TeamFiltration toolset, perpetrated a large-scale password spraying campaign targeting approximately 80,000 user accounts across hundreds of organizations using Microsoft Entra ID. The attack aimed to achieve successful account takeover (ATO) via brute-force attempts. While the scope involved extensive targeting, successful compromises were reported and necessitated the implementation of enhanced authentication controls.
## Incident Details
- **Discovery Date:** Not explicitly stated, but implied concurrent with reporting period (referencing Proofpoint research).
- **Incident Date:** Continuous attack period implied by scope.
- **Affected Organization:** Hundreds of organizations utilizing Microsoft Entra ID.
- **Sector:** Not explicitly disclosed (Applicable across multiple sectors using Microsoft 365).
- **Geography:** Attacks originated primarily from the United States (42%), Ireland (11%), and the UK (8%).
## Timeline of Events
### Initial Access
- **Date/Time:** Not specified.
- **Vector:** Password spraying attacks leveraging a large list of common passwords against Microsoft Entra ID user accounts.
- **Details:** Attackers utilized AWS servers across multiple regions to launch the attacks. They abused the Microsoft Teams API via a "sacrificial" Office 365 account (Business Basic license) for account enumeration purposes.
### Lateral Movement
- **Details:** Successful takeovers likely involved post-authentication lateral movement, though specific internal network activity is not detailed; the focus is on gaining initial cloud access.
### Data Exfiltration/Impact
- **Details:** Successful account takeovers (ATO) occurred in several instances. The article focuses on the *attempted* access rather than specific exfiltrated data.
### Detection & Response
- **How it was discovered:** Detection was attributed to analysis by Proofpoint researchers who identified the unique TeamFiltration user agent string and matching OAuth Client IDs.
- **Response actions taken:** Organizations alerted were advised to block specific malicious IP addresses and implement crucial security settings.
## Attack Methodology
- **Initial Access:** Password Spraying utilizing brute-force dictionary/common password attempts against cloud identity provider (Microsoft Entra ID).
- **Persistence:** Not explicitly detailed, but ATO implies the attackers successfully established persistent access credentials.
- **Privilege Escalation:** Not detailed in the scope of the initial spray, but implied post-ATO if further access was sought.
- **Defense Evasion:** Use of a rarely seen, specific TeamFiltration user agent string. Attacks were distributed across AWS infrastructure.
- **Credential Access:** Direct brute-force/spraying against username/password fields.
- **Discovery:** Account enumeration executed via abuse of the Microsoft Teams API using a sacrificial account.
- **Lateral Movement:** Not detailed.
- **Collection:** Not detailed.
- **Exfiltration:** Not detailed beyond successful account takeovers.
- **Impact:** Successful Account Takeover (ATO).
## Impact Assessment
- **Financial:** Not disclosed.
- **Data Breach:** Several successful account takeovers occurred; specific data compromised per victim is not detailed.
- **Operational:** Potential operational disruption due to successful ATOs necessitating immediate credential resets and access revocation.
- **Reputational:** Potential damage related to cloud account compromises within affected organizations.
## Indicators of Compromise
- **Network indicators (Defanged):** IPs traced primarily to the US, Ireland, and the UK. (Specific IPs were not listed in the summary provided, but users were advised to block those listed by Proofpoint).
- **File indicators:** None explicitly mentioned.
- **Behavioral indicators:** Use of the unique **TeamFiltration user agent string**. Access patterns to incompatible applications. Use of specific **OAuth client IDs** associated with TeamFiltration.
## Response Actions
- **Containment measures:** Organizations were advised to block all associated source IP addresses.
- **Eradication steps:** Not explicitly detailed, but successful eradication would involve forcing password resets on compromised accounts.
- **Recovery actions:** Not explicitly detailed.
## Lessons Learned
- **Key takeaways:** Large-scale, distributed password spraying remains a primary threat to cloud identity environments (Microsoft Entra ID). Attackers use specific toolsets (TeamFiltration) that exhibit unique signatures (user agents).
- **What could have been done better:** The necessity of robust MFA and conditional access policies is highlighted, suggesting that organizations lacking these controls are highly susceptible.
## Recommendations
- **Prevention measures for similar incidents:**
1. Immediately enable Multi-Factor Authentication (MFA) for all users.
2. Enforce OAuth 2.0 security standards.
3. Implement granular Conditional Access Policies within Microsoft Entra ID.
4. Create detection rules specifically targeting the known TeamFiltration user agent string.
5. Block reported malicious source IP ranges.