Entra ID Account Takeover Attacks: Researchers Issue Urgent Warning
▼ Summary
– Attackers are using the TeamFiltration pentesting framework to brute-force Microsoft Entra ID accounts, with a surge in activity since December 2024.
– Over 80,000 user accounts across 100 organizations have been targeted, leading to multiple account takeovers by the UNK_SneakyStrike campaign.
– TeamFiltration identifies valid accounts, performs password spraying, and exfiltrates or replaces files to enable persistent access and lateral movement.
– Attackers use Microsoft Teams API and AWS servers to verify accounts and conduct password spraying from various geographic locations.
– To defend against these attacks, organizations should enforce strong passwords, MFA, monitor logins, and disable unused accounts.
Security experts are sounding the alarm about a dangerous wave of account takeover attacks targeting Microsoft Entra ID (previously Azure AD) systems. Researchers at Proofpoint have uncovered a sophisticated campaign using the TeamFiltration penetration testing framework to brute-force access to corporate accounts, putting thousands of organizations at risk.
The attacks, linked to a threat group called UNK_SneakyStrike, began escalating dramatically in late 2024. By January 2025, hackers had targeted more than 80,000 user accounts across approximately 100 different organizations, successfully compromising multiple systems. What makes this campaign particularly concerning is how attackers are weaponizing legitimate security tools for malicious purposes.
TeamFiltration provides attackers with several dangerous capabilities. It can scan for valid user credentials, test common password combinations, and steal sensitive files from compromised accounts. Once inside, hackers replace legitimate OneDrive files with malicious versions to maintain persistent access. The attackers have even registered legitimate Microsoft 365 Business Basic accounts to blend in with normal traffic while using AWS infrastructure to launch attacks from multiple global locations.
Proofpoint’s analysis reveals distinct patterns in these intrusions. Attackers typically focus on smaller organizations, attempting to breach every account, while being more selective in larger enterprises. Activity comes in intense bursts followed by several days of silence, a tactic likely designed to evade detection systems.
The consequences of these breaches can be devastating. Compromised admin accounts give attackers free rein to reset passwords, disable security controls like MFA, alter access policies, and delete critical audit logs. Even standard user accounts can serve as entry points for lateral movement through corporate networks.
To defend against these threats, organizations must implement multi-layered security measures. Enforcing strong, unique passwords combined with mandatory multi-factor authentication forms the first critical barrier. Security teams should also monitor login patterns, implement conditional access policies, and regularly review identity protection alerts. Disabling unused accounts and maintaining rigorous log monitoring can further reduce attack surfaces.
As these attacks continue evolving, staying informed about emerging threats becomes essential for maintaining robust cybersecurity defenses. Organizations using Microsoft Entra ID should immediately review their security posture and implement the recommended protections.
(Source: HelpNet Security)
