Over 80,000 Microsoft Entra ID Accounts Targeted Using Open-Source TeamFiltration Tool

Source: The Hacker News

Author: info@thehackernews.com (The Hacker News)

URL: https://thehackernews.com/2025/06/over-80000-microsoft-entra-id-accounts.html

ONE SENTENCE SUMMARY: Attackers exploit TeamFiltration to target Microsoft Entra ID accounts, compromising over 80,000 users via password spraying and enumeration methods.

MAIN POINTS:

  1. New ATO campaign named UNK_SneakyStrike targets Microsoft Entra ID user accounts.
  2. Attackers leveraged open-source framework TeamFiltration, originally for penetration testing.
  3. Over 80,000 user accounts breached across numerous cloud tenants since December 2024.
  4. Microsoft Teams API and AWS servers were utilized to perform attacks.
  5. Primary attack methods include password spraying, user enumeration, and data exfiltration.
  6. Malicious files were uploaded to victims’ Microsoft OneDrive accounts for persistent access.
  7. Attack waves originated from geographically dispersed AWS servers to evade detection.
  8. Top attacking regions were United States (42%), Ireland (11%), and Great Britain (8%).
  9. Attacks occurred in concentrated bursts followed by quiet periods of four to five days.
  10. Smaller cloud tenants experienced broad targeting, while larger tenants had selective targeting.

TAKEAWAYS:

  1. Security tools intended for protection can be weaponized by attackers.
  2. Organizations must monitor for abnormal login attempts and geographic patterns.
  3. Regularly review and tighten user account access and permissions in cloud environments.
  4. Implement proactive defenses such as multi-factor authentication to counteract password spraying.
  5. Remain vigilant about publicly available security frameworks being misused by threat actors.