Hackers Use Pentest Tool to Breach Entra ID Accounts

A global account takeover campaign is exploiting a legitimate pentest tool to breach Entra ID environments, targeting over 80,000 user accounts across roughly 100 cloud tenants. The campaign, which escalated in December 2024, uses TeamFiltration—a penetration testing framework released at DefCon30—to compromise Microsoft Office 365 Entra ID users.

Researchers at Proofpoint have identified the operation, codenamed UNK_SneakyStrike, which leverages Amazon Web Services infrastructure across regions including the U.S., Ireland and the U.K. The attackers automate password spraying, user enumeration via the Microsoft Teams API, and data exfiltration.

Key technical indicators include the use of an outdated Microsoft Teams user agent and targeted application IDs linked to Microsoft OAuth tokens. The campaign’s infrastructure mimics legitimate setups, using AWS accounts and sacrificial Office 365 licenses to avoid detection.

Read the full article for a detailed breakdown of the attack methods and indicators of compromise:

New Account Takeover Campaign Leverages Pentesting Tool to Attack Entra ID User Accounts