A threat actor has launched a large-scale account takeover campaign using the TeamFiltration penetration testing framework to target Entra ID users across multiple cloud tenants. The campaign leverages AWS infrastructure, Microsoft Teams API, and OAuth application IDs to execute password spraying, account enumeration, and persistent access tactics. #TeamFiltration #CobaltStrike #EntraID
Keypoints
- The campaign actively targets approximately 100 cloud tenants with peak activity in January 2025.
- Attackers use a distinctive outdated Microsoft Teams user agent to identify their efforts.
- The threat uses AWS servers worldwide for launching password spraying bursts.
- TeamFiltration’s features enable attackers to exfiltrate data and maintain persistent access.
- The campaign is linked to specific Microsoft OAuth app IDs capable of receiving special refresh tokens.
Read More: https://www.securityweek.com/teamfiltration-abused-in-entra-id-account-takeover-campaign/