A sophisticated cyberattack campaign has weaponized a legitimate penetration testing framework to compromise thousands of Microsoft cloud accounts across hundreds of organizations worldwide.<\/p>\n
The malicious operation, designated UNK_SneakyStrike, leverages TeamFiltration, a popular cybersecurity tool originally designed for Office 365 security assessments, to conduct large-scale account takeover attacks targeting Microsoft Teams, OneDrive, Outlook, and other enterprise applications.<\/p>\n
TeamFiltration emerged in January 2021 as a robust framework created by threat researchers and publicly released at DefCon30.<\/p>\n
The tool was originally intended to help security professionals simulate intrusions against cloud environments, offering capabilities for Office 365 Entra ID account takeover, data exfiltration, and persistent access establishment.<\/p>\n
However, like many dual-use security tools, TeamFiltration<\/a> has now been repurposed by cybercriminals to conduct unauthorized attacks against legitimate organizations.<\/p>\n The UNK_SneakyStrike campaign began its operations in December 2024, with activity peaking in January 2025.<\/p>\n Proofpoint researchers identified<\/a> the malicious use of TeamFiltration through careful analysis of the tool\u2019s distinctive characteristics and attack patterns.<\/p>\n Since the campaign\u2019s inception, threat actors have targeted over 80,000 user accounts across roughly 100 cloud tenants, resulting in multiple successful account compromises.<\/p>\n The attackers exploit TeamFiltration\u2019s advanced capabilities to conduct systematic user enumeration and password spraying attacks.<\/p>\n The framework utilizes Microsoft Teams API and Amazon Web Services infrastructure deployed across multiple geographical regions, with the majority of malicious traffic originating from the United States (42%), Ireland (11%), and Great Britain (8%).<\/p>\n This distributed approach helps attackers evade detection while maintaining operational resilience.<\/p>\n The technical sophistication of UNK_SneakyStrike lies in its exploitation of Microsoft\u2019s OAuth<\/a> client application ecosystem.<\/p>\n TeamFiltration targets specific client applications that belong to Microsoft\u2019s \u201cfamily refresh token\u201d group, enabling attackers to obtain special authentication tokens that can be exchanged across multiple Microsoft services.<\/p>\n The framework\u2019s configuration reveals a predefined list of target applications:-<\/p>\n Proofpoint analysts noted that attackers maintain persistence<\/a> through a \u201cbackdooring\u201d technique via OneDrive, uploading malicious files to target environments and replacing legitimate desktop files with malware-laden lookalikes.<\/p>\n The campaign\u2019s attack pattern involves highly concentrated bursts targeting multiple users within single cloud environments, followed by dormant periods lasting four to five days.<\/p>\n This tactical approach, combined with systematic AWS region rotation, demonstrates the threat actors\u2019 sophisticated understanding of detection evasion techniques and infrastructure management.<\/p>\n Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions ->\u00a0Try ANY.RUN now<\/strong><\/a><\/p>\n The post TeamFiltration Pentesting Tool Weaponized to Hijack Microsoft Teams, Outlook, and Other Accounts<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nInfection Mechanism and Technical Implementation<\/strong><\/h2>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhR0v2r9ZvE48OpFp8UmonODXojbp9tWtaifvB8JBE7FykEQrc5Hb-1hyphenhypheniIT1afl6E580DY8eT-Pz653gQ7n0SRxLFw1ZqNBv2Quxzw9RkVZIx1GfbHP7LvA5uT3Ipjuyf1YOXGsUPKoE6LpUovoUxV-Bu9VelZubYs5cttjzeRr_N2hH2m67sgJu_uETs\/s16000\/Execution%2520flow%2520of%2520TeamFiltration%2520%28Source%2520-%2520Proofpoint%29.webp?ssl=1\")
var clientIdList = new List{\n(\"1fec8e78-bce4-4aaf-ab1b-5451cc387264\", \"Microsoft Teams\"),\n(\"04b07795-8ddb-461a-bbee-02f9e1bf7b46\", \"Microsoft Azure CLI\"),\n(\"ab9b8c07-8f02-4f72-87fa-80105867a763\", \"OneDrive SyncEngine\"),\n(\"d3590ed6-52b3-4102-aeff-aad2292ab01c\", \"Microsoft Office\")\n};<\/code><\/pre>\n