top of page

Hackers Weaponize TeamFiltration: Open-Source Pentest Tool Powers Major Entra ID Account Takeover Wave

What began as a legitimate penetration testing framework has now become the centerpiece of a sprawling campaign compromising tens of thousands of enterprise cloud accounts. In a recently disclosed report, Proofpoint researchers unveiled UNK_SneakyStrike—a large-scale, stealthy attack series exploiting the open-source tool TeamFiltration to infiltrate Microsoft Entra ID environments.


The campaign, active since December 2024, has already targeted more than 80,000 user accounts across hundreds of organizations, with multiple successful account takeovers (ATOs). At its core: a repurposed red-team toolkit that automates cloud reconnaissance, credential attacks, and data theft—now operating in the wild.


“The targeting of more than 80,000 Entra ID user accounts by leveraging TeamFiltration leaves hundreds of organizations vulnerable,” said Eric Woodruff, Chief Identity Architect at Semperis. “It’s a sobering reminder that hackers can quickly turn the tables on defenders and repurpose open-source penetration tools for nefarious cyber activity.”

From DefCon Demo to Digital Threat


TeamFiltration was originally introduced as a red-teaming framework in 2021 and gained attention for its ability to simulate account takeovers in Microsoft 365 environments. At its release, it was a valuable resource for ethical hackers and enterprise security teams seeking to understand their weaknesses.


But in the hands of malicious actors behind UNK_SneakyStrike, TeamFiltration has become a formidable cyber weapon.


Proofpoint researchers traced activity to AWS servers systematically rotated across regions—particularly in the U.S., Ireland, and Great Britain—to obfuscate origin. Attackers used the Microsoft Teams API to validate users and launch password spraying attempts en masse. Upon gaining access, they targeted Outlook, OneDrive, and other native Microsoft apps for data exfiltration and persistence.


Inside the Attack Chain


Proofpoint's analysis revealed several indicators unique to TeamFiltration, including an outdated Microsoft Teams user agent string and abnormal sign-in behavior from incompatible devices—signals of spoofing and client misrepresentation. The attackers also exploited a feature of Microsoft’s OAuth ecosystem: family refresh tokens. With these tokens, threat actors were able to maintain access across multiple Microsoft applications even after password resets.


Some of TeamFiltration’s code also included misconfigured application IDs, pointing to the use of an outdated dataset, possibly lifted from public research on Microsoft OAuth client IDs. But the missteps didn’t reduce effectiveness—in fact, they helped tie the intrusion methods back to the original toolset.


“Organizations need to adopt a multi-layered, identity-first security approach,” Woodruff warned. “Mitigation efforts should center around reducing their attack surface, increasing visibility, and enforcing strong access controls.”

Service Accounts: The Soft Underbelly


Beyond user accounts, attackers are also eyeing a less protected but highly valuable identity category: non-human service accounts. These accounts, often used by applications or backend processes, tend to escape scrutiny—despite outnumbering human identities by up to 10-to-1.


“Hackers consider them a high-value target, especially in cloud environments,” Woodruff explained. “Unfortunately, non-human accounts can often fall through the governance protocol cracks. To harden them, organizations should treat them as critical identity assets, just like privileged human users."

He advises restricting exposure, limiting permissions, and ensuring constant monitoring of service account behavior.


A Rising Tide of Misused Pentest Tools


TeamFiltration is just the latest example of a broader trend: red-team and penetration testing tools—often open source—being co-opted by cybercriminals for real-world exploitation. The line between simulation and attack continues to blur.


And the implications go beyond one campaign. Proofpoint expects the use of tools like TeamFiltration to rise as attackers abandon brute-force methods in favor of stealthier, modular intrusion chains.


For defenders, attribution becomes harder—and urgency mounts.


Looking Ahead


As enterprise cloud environments grow in complexity, attackers are increasingly exploiting the same tools defenders once used to protect them. The UNK_SneakyStrike campaign is a stark reminder: just because a tool was built for good doesn’t mean it can’t be used for harm.


For now, the best defense is visibility. Proofpoint urges organizations to monitor user and app behavior closely, track sign-in anomalies, and correlate activity with known indicators tied to TeamFiltration’s unique fingerprint.


Because when open-source tools go rogue, the only difference between a test and a breach… is who’s behind the keyboard.

bottom of page