The line between ethical penetration testing and real-world exploitation has never been thinner. TeamFiltration, a legitimate open-source framework designed for red teaming, is now emerging as a preferred weapon in the arsenal of malicious actors targeting Microsoft Entra ID (formerly Azure Active Directory). A new wave of attacks, identified as UNK_SneakyStrike by researchers at Proofpoint, is exploiting this tool with chilling efficiency.
Since December 2024, this campaign has quietly stormed through nearly 100 cloud tenants, targeting 80,000 user accounts with precise, programmatic password spraying and enumeration techniques. Designed to appear as standard network traffic, TeamFiltration leverages Microsoft Teams APIs and OAuth single sign-on pathways to validate accounts and stay under the radar.
At its core, the framework utilizes AWS to rotate geographic origin points during password attacks, bypassing many geolocation-based security measures. Misconfigurations in conditional access policies become the perfect backdoors overlooked MFA exceptions in tools like Teams offer attackers just enough access to embed themselves.
Worse still, TeamFiltration capitalizes on Microsoft’s “family refresh token” mechanism. This allows attackers to expand access across multiple applications within the same identity family; a single compromised account becomes a skeleton key to an enterprise’s cloud.
Once inside, the exfiltration phase begins. Teams chats, file attachments, and user metadata are siphoned off with surgical precision. Proofpoint’s investigation underscores the deliberate, scalable nature of these attacks: smaller tenants are fully targeted, while larger environments see only key users probed, a testament to the tool’s filtering capability.
TeamFiltration’s true threat lies in its stealth. By using legitimate services, its operations mimic regular behavior, enabling persistent access without tripping alarms. It’s not brute force, it’s camouflage in motion.
The Quiet Shift in Threat Landscapes
UNK_SneakyStrike may be the tip of the iceberg. Proofpoint anticipates more threat actors will repurpose red team tools like TeamFiltration for actual intrusions, blurring the ethical boundaries of cybersecurity tooling. This trend elevates the need for cloud-native detection strategies and policy enforcement.
Organizations must urgently revisit their cloud security postures:
- Enforce MFA without exception
- Audit conditional access policies
- Monitor for behavioral anomalies using AI-driven analytics
Attackers aren’t just breaking in, they’re walking through open doors, concealed by the architecture they exploit.
About COE Security
COE Security partners with organizations in financial services, healthcare, retail, manufacturing, and government to secure AI-powered systems and ensure compliance. In light of growing threats like TeamFiltration, we help clients:
- Detect unauthorized access via cloud-native behavioral analytics
- Identify and remediate misconfigured access policies
- Run controlled simulations of advanced TTPs like password spraying
- Train staff to recognize signs of account takeover and social engineering
- Secure Teams and other collaboration platforms often left exposed
Our offerings include:
- AI-enhanced threat detection and real-time monitoring
- Data governance aligned with GDPR, HIPAA, and PCI DSS
- Secure model validation to guard against adversarial attacks
- Customized training to embed AI security best practices
- Penetration Testing (Mobile, Web, AI, Product, IoT, Network & Cloud)
- Secure Software Development Consulting (SSDLC)
- Customized CyberSecurity Services
With social engineering attacks evolving rapidly and spreading laterally into networks with unprecedented speed, our emphasis is not just on preventing intrusions, it’s about building resilience against the unknown.
Follow COE Security on LinkedIn for ongoing insights into safe, compliant AI adoption. Stay alert. Stay cyber safe.