Password spraying attacks have become one of the most persistent and damaging techniques in the arsenal of modern cybercriminals, as demonstrated by a newly disclosed incident in which over 80,000 Microsoft Entra ID accounts were targeted using legitimate penetration testing tools. According to a recent in-depth analysis from Proofpoint, shared with TechRadar Pro and corroborated by additional cybersecurity sources, unnamed threat actors orchestrated a large-scale attack—dubbed “UNK_SneakyStrike”—by misusing TeamFiltration, a tool originally designed for security assessments but quickly repurposed for malicious campaigns.
Unlike brute-force attacks that rapidly test many passwords against a single account—often triggering lockouts—password spraying involves attempting a small number of commonly used passwords across a broad swath of accounts. This evasion tactic exploits weak user password hygiene and organizational blind spots, letting attackers fly under the radar of conventional intrusion detection systems.
The team behind UNK_SneakyStrike exploited the Microsoft Teams API and harnessed a global network of Amazon Web Services (AWS) servers. These cloud-based resources provided both scalability and geographic obfuscation, making it more difficult for defenders to correlate suspicious traffic or block specific sources. Teams at Proofpoint identified that 42% of attacks originated from the United States, 11% from Ireland, and 8% from Great Britain, underscoring the campaign’s international footprint.
As highlighted by Proofpoint’s researchers, “As with many security tools that are originally created and released for legitimate uses, such as penetration testing and risk evaluation, TeamFiltration was also leveraged in malicious activity.” The dual-use nature of security software has sparked controversy within the cybersecurity field for years; while these tools empower defenders, their open availability also serves adversaries well. In the wrong hands, legitimate frameworks like TeamFiltration rapidly morph into potent weapons.
Notably, while the number of targeted accounts exceeded 80,000—spread across approximately 100 different cloud tenants—Proofpoint confirmed that only “several cases” resulted in full account compromise. In those incidents, attackers reportedly gained access to sensitive data hosted within Microsoft Teams, OneDrive, Outlook, and other interconnected Microsoft 365 productivity tools, risking the exposure of substantial business-critical information.
On one hand, tools like TeamFiltration democratize advanced testing capabilities, enabling even smaller organizations with limited budgets to assess their cloud security posture. On the other hand, their ready availability often means that threat actors can operationalize them straight out of the box.
Proofpoint’s analysis underscores this dilemma, noting that TeamFiltration “can easily be weaponized” to compromise accounts, exfiltrate sensitive data, and establish persistent footholds inside enterprise cloud environments. The rise of such attacks suggests a pivot away from crude attack methods toward stealthier, more sustainable strategies rooted in red-team methodology.
Furthermore, their abuse of the Microsoft Teams API sheds light on a critical but frequently overlooked attack vector. Teams, alongside other collaboration tools, is deeply embedded in most enterprises’ daily workflow, often bridging sensitive conversations, file sharing, and third-party integrations. Every additional API, if not vigilantly monitored, broadens the organization’s attack surface.
Research from multiple cybersecurity firms aligns on the prevalence of password spraying. A recent Microsoft Digital Defense Report highlights that over 99% of password attacks utilize techniques like spraying and credential stuffing, rather than direct brute-force. Weak and reused passwords are by far the most commonly exploited vulnerabilities in cloud environments.
Proofpoint’s researchers warn that attackers “will increasingly adopt advanced intrusion tools and platforms, such as TeamFiltration, as they pivot away from less effective intrusion methods.” This shift mirrors the broader industry trend toward “living off the land”—abusing built-in tools and legitimate mechanisms to blend in and persist.
Incident responders and threat intelligence teams must now incorporate a wider range of signals, such as behavioral anomalies, subtle flaws in operational security, and the interplay between seemingly innocuous events, to piece together attribution.
Organizations seeking to enhance Microsoft Entra ID security should not only focus on technical safeguards but also on user education and regular risk assessments. Tailored security awareness initiatives and phishing simulations remain vital shields against human error, which attackers continue to exploit.
API security, often relegated to the background, must now be treated as a first-class pillar. Every integration point—especially those enabling automation or external partner access—should be reviewed for unanticipated privileges or weak authentication practices.
Organizations using Microsoft Entra ID and similar cloud-based identity solutions should recognize that their most persistent foes may now be equipped with the very same tools designed to keep them safe. Addressing this paradox requires not just technological investment but a steadfast commitment to continuous security awareness, vigilance, and the agile adaptation of defense practices in the face of an ever-evolving threat landscape.
As the boundaries between red teaming and real-world attacks blur, the security community’s challenge will be to stay one step ahead in the never-ending pursuit of digital trust and resilience.
Source: inkl Over 80,000 Microsoft Entra ID accounts hit by password spraying attacks
Rising Tide: Password Spraying Meets Penetration Testing Tools
The Anatomy of the Attack
The campaign reportedly began around December 2024, leveraging TeamFiltration’s automation abilities to conduct user-enumeration and password-spraying attacks at scale. While password spraying itself is not a novel tactic, its merger with sophisticated legitimate tools marks a dangerous evolution in offensive cyber operations.Unlike brute-force attacks that rapidly test many passwords against a single account—often triggering lockouts—password spraying involves attempting a small number of commonly used passwords across a broad swath of accounts. This evasion tactic exploits weak user password hygiene and organizational blind spots, letting attackers fly under the radar of conventional intrusion detection systems.
The team behind UNK_SneakyStrike exploited the Microsoft Teams API and harnessed a global network of Amazon Web Services (AWS) servers. These cloud-based resources provided both scalability and geographic obfuscation, making it more difficult for defenders to correlate suspicious traffic or block specific sources. Teams at Proofpoint identified that 42% of attacks originated from the United States, 11% from Ireland, and 8% from Great Britain, underscoring the campaign’s international footprint.
TeamFiltration: When Tools Go Rogue
At the heart of this attack is TeamFiltration—a penetration testing framework released to the security community in early 2021 and demoed at DefCon30. The tool was created with the intention of aiding security professionals in simulating advanced attack chains and evaluating the effectiveness of their controls. Automated deployment, credential stuffing, detection evasion, and even communication with common SaaS APIs form part of its feature set.As highlighted by Proofpoint’s researchers, “As with many security tools that are originally created and released for legitimate uses, such as penetration testing and risk evaluation, TeamFiltration was also leveraged in malicious activity.” The dual-use nature of security software has sparked controversy within the cybersecurity field for years; while these tools empower defenders, their open availability also serves adversaries well. In the wrong hands, legitimate frameworks like TeamFiltration rapidly morph into potent weapons.
Notably, while the number of targeted accounts exceeded 80,000—spread across approximately 100 different cloud tenants—Proofpoint confirmed that only “several cases” resulted in full account compromise. In those incidents, attackers reportedly gained access to sensitive data hosted within Microsoft Teams, OneDrive, Outlook, and other interconnected Microsoft 365 productivity tools, risking the exposure of substantial business-critical information.
Critical Assessment: The Strengths and Risks of TeamFiltration Abuse
The Double-Edged Sword of Penetration Testing Software
The open-source ethos that underpins much of the cybersecurity research community has long championed the public availability of penetration testing tools. Proponents argue that widespread access pushes defenders to improve at the pace of attacker innovation. However, as the UNK_SneakyStrike campaign demonstrates, there’s a persistent tension between openness and defense.On one hand, tools like TeamFiltration democratize advanced testing capabilities, enabling even smaller organizations with limited budgets to assess their cloud security posture. On the other hand, their ready availability often means that threat actors can operationalize them straight out of the box.
Proofpoint’s analysis underscores this dilemma, noting that TeamFiltration “can easily be weaponized” to compromise accounts, exfiltrate sensitive data, and establish persistent footholds inside enterprise cloud environments. The rise of such attacks suggests a pivot away from crude attack methods toward stealthier, more sustainable strategies rooted in red-team methodology.
Evasion and Persistence: Advanced Tactics in Action
The attackers’ operational use of AWS cloud servers as launching pads illustrates a keen understanding of modern detection limitations. By masking their originating IP addresses behind legitimate cloud infrastructure, adversaries make it difficult for blue teams to distinguish “good” from “bad” traffic, especially since cloud providers are also widely leveraged by legitimate business operations.Furthermore, their abuse of the Microsoft Teams API sheds light on a critical but frequently overlooked attack vector. Teams, alongside other collaboration tools, is deeply embedded in most enterprises’ daily workflow, often bridging sensitive conversations, file sharing, and third-party integrations. Every additional API, if not vigilantly monitored, broadens the organization’s attack surface.
The Broader Landscape: Password Spraying’s Enduring Threat
Quantifying the Impact
While only a handful of accounts were reportedly compromised out of the 80,000 targets, the potential for damage remains significant. Even a single breach of a privileged account can grant attackers lateral movement within an enterprise ecosystem, elevating risks from data theft to business email compromise (BEC) and ransomware deployment.Research from multiple cybersecurity firms aligns on the prevalence of password spraying. A recent Microsoft Digital Defense Report highlights that over 99% of password attacks utilize techniques like spraying and credential stuffing, rather than direct brute-force. Weak and reused passwords are by far the most commonly exploited vulnerabilities in cloud environments.
Hardening Defenses: Best Practices and Recommendations
Organizations can take several actionable steps to blunt the effectiveness of password spraying attacks, irrespective of the tools used by adversaries:- Mandatory Multi-Factor Authentication (MFA): Enforce MFA across all remote and cloud accounts to ensure that even successfully guessed passwords do not immediately result in account compromise. Microsoft's own security advisories stress that MFA can prevent over 99% of automated account attacks.
- Conditional Access Policies: Utilize tools like Microsoft Entra ID’s built-in conditional access to restrict risky sign-ins, demand device compliance, and trigger step-up authentication when anomalies are detected.
- Monitoring and Logging: Continuously monitor sign-in logs for anomalies, especially failed logins from unusual geographies, known AWS IP ranges, or at odd times.
- Rate Limiting and Lockout Policies: Carefully tune lockout thresholds and implement rate limiting on authentication attempts to reduce exposure to spraying—though care must be taken to avoid denying access to legitimate users.
- Audit Permissions: Regularly review and prune unnecessary access privileges, particularly for sensitive productivity and communication platforms like Teams and OneDrive.
The Future: Adaptive Threats, Adaptive Defenses
The Rise of “Legit” Attack Chains
The use of legitimate pentesting tools for illegitimate ends is set to accelerate. As traditional malware and phishing continue to lose effectiveness against well-defended organizations, threat actors are increasingly pivoting toward exploiting readily available administrative frameworks, cloud APIs, and hybrid infrastructure.Proofpoint’s researchers warn that attackers “will increasingly adopt advanced intrusion tools and platforms, such as TeamFiltration, as they pivot away from less effective intrusion methods.” This shift mirrors the broader industry trend toward “living off the land”—abusing built-in tools and legitimate mechanisms to blend in and persist.
Attribution: A Lingering Blind Spot
Notably, the UNK_SneakyStrike campaign has yet to be attributed to a known threat group or nation-state. This lack of attribution is not uncommon in attacks that leverage widely available tools and globally distributed cloud infrastructure. Since the infrastructure and software are neither bespoke nor directly linked to any single actor, traditional methods of tracking and identifying attackers are less effective.Incident responders and threat intelligence teams must now incorporate a wider range of signals, such as behavioral anomalies, subtle flaws in operational security, and the interplay between seemingly innocuous events, to piece together attribution.
SEO-Focused Takeaways for Microsoft Cloud and Security Teams
Why Microsoft Entra ID Remains a Prime Target
Microsoft Entra ID, formerly known as Azure Active Directory (Azure AD), sits at the heart of most modern enterprise authentication flows. With over 425 million users as of late 2024, any vulnerability in its ecosystem—whether technical or behavioral—is catnip for threat actors. Its integration across the Microsoft 365 suite, Teams, OneDrive, SharePoint, and countless third-party applications means a single account compromise can have far-reaching consequences.Organizations seeking to enhance Microsoft Entra ID security should not only focus on technical safeguards but also on user education and regular risk assessments. Tailored security awareness initiatives and phishing simulations remain vital shields against human error, which attackers continue to exploit.
The Importance of Zero Trust and API Security
Zero trust principles—where no device or user is implicitly trusted—should underpin all cloud security strategies. This includes rigorous verification of user identities, continuous validation of devices, and conditional access policies that adapt in real-time to changing risk conditions.API security, often relegated to the background, must now be treated as a first-class pillar. Every integration point—especially those enabling automation or external partner access—should be reviewed for unanticipated privileges or weak authentication practices.
Conclusion: A Cautionary Tale for Cloud-First Organizations
The UNK_SneakyStrike campaign is neither the first nor the last instance of adversaries turning the security community’s own tools against itself. As password spraying attacks grow in sophistication, catalyzed by the widespread availability of frameworks like TeamFiltration, defenders must reassess their strategy at every level. From enforcing robust authentication protocols to meticulously monitoring account activity and auditing third-party tool usage, a multi-layered, adaptive defense is more crucial than ever.Organizations using Microsoft Entra ID and similar cloud-based identity solutions should recognize that their most persistent foes may now be equipped with the very same tools designed to keep them safe. Addressing this paradox requires not just technological investment but a steadfast commitment to continuous security awareness, vigilance, and the agile adaptation of defense practices in the face of an ever-evolving threat landscape.
As the boundaries between red teaming and real-world attacks blur, the security community’s challenge will be to stay one step ahead in the never-ending pursuit of digital trust and resilience.
Source: inkl Over 80,000 Microsoft Entra ID accounts hit by password spraying attacks
