In a recent cybersecurity incident, over 80,000 Microsoft Entra ID accounts were targeted through password spraying attacks, leading to unauthorized access to several accounts and compromising data across Microsoft Teams, OneDrive, and Outlook.
Understanding Password Spraying Attacks
Password spraying is a technique where attackers attempt to access numerous accounts by trying a few commonly used passwords, thereby avoiding account lockouts that typically occur after multiple failed login attempts. Unlike brute-force attacks that target a single account with numerous password guesses, password spraying spreads attempts across many accounts, making detection more challenging.
The Role of TeamFiltration in the Attack
The attackers in this campaign utilized TeamFiltration, a penetration testing tool designed to automate various tactics used in account takeover scenarios. Originally developed for legitimate security assessments, TeamFiltration has been repurposed by malicious actors to conduct large-scale password spraying attacks. The tool's capabilities include user enumeration, password spraying, and data exfiltration, making it a potent instrument in the hands of cybercriminals.
Details of the Attack
The campaign, identified as UNK_SneakyStrike by Proofpoint researchers, began in December 2024. Attackers exploited the Microsoft Teams API and leveraged Amazon Web Services (AWS) servers to conduct user enumeration and password spraying attacks. The attacks originated primarily from the United States (42%), Ireland (11%), and Great Britain (8%). By distributing their efforts across multiple regions and utilizing legitimate services, the attackers aimed to evade detection and increase the likelihood of successful account compromises.
Implications of the Attack
The successful compromise of several accounts underscores the evolving tactics of cybercriminals, who are increasingly adopting advanced intrusion tools and platforms. The use of legitimate penetration testing tools for malicious purposes highlights the dual-use nature of such software and the need for organizations to remain vigilant. The attackers' ability to access sensitive data within Microsoft Teams, OneDrive, and Outlook poses significant risks, including data theft, espionage, and further exploitation of compromised accounts.
Mitigation Strategies
To defend against password spraying attacks, organizations should implement a multi-layered security approach:
- Enforce Strong Password Policies: Implement Microsoft Entra Password Protection to detect and block known weak passwords and their variants. This feature utilizes a global banned password list and allows for custom banned password lists tailored to organizational needs.
- Enable Multi-Factor Authentication (MFA): Require MFA for all user accounts to add an additional layer of security. Even if an attacker obtains a valid password, MFA can prevent unauthorized access.
- Monitor and Respond to Suspicious Activity: Utilize tools like Microsoft Defender XDR to detect and respond to password spray attacks. Advanced hunting queries can help identify patterns indicative of such attacks, enabling timely intervention.
- Disable Legacy Authentication Protocols: Legacy authentication protocols are more susceptible to attacks. Disabling them reduces the attack surface and enhances security.
- Educate Users on Security Best Practices: Regular training on recognizing phishing attempts, the importance of strong passwords, and the use of MFA can empower users to act as the first line of defense.
The recent password spraying attacks targeting Microsoft Entra ID accounts serve as a stark reminder of the persistent threats in the cybersecurity landscape. By leveraging legitimate tools like TeamFiltration, attackers can execute sophisticated campaigns that challenge traditional security measures. Organizations must adopt comprehensive security strategies, including enforcing strong password policies, implementing MFA, monitoring for suspicious activities, and educating users to mitigate the risks associated with such attacks.
Source: TechRadar Over 80,000 Microsoft Entra ID accounts hit by password spraying attacks