Subj : Over 80,000 Microsoft Entra ID accounts hit by password spraying
To   : All
From : TechnologyDaily
Date : Fri Jun 13 2025 16:15:07

Over 80,000 Microsoft Entra ID accounts hit by password spraying attacks

Date:
Fri, 13 Jun 2025 15:04:00 +0000

Description:
Half a dozen flaws across different products were addressed despite not being 
abused in the wild.

FULL STORY
======================================================================Hackers 
are abusing a legitimate tool to target Entra ID accounts The password 
spraying attack targeted some 80,000 accounts Attackers managed to take over 
some accounts, accessing Microsoft Teams, OneDrive, Outlook data 

Cybercriminals have been spotted abusing a legitimate penetration testing 
tool to target peoples Entra ID user accounts with password -spraying 
attacks, experts hgave warned. 

In an in-depth analysis shared with TechRadar Pro , cybersecurity researchers 
from Proofpoint claimed tens of thousands of accounts were targeted, and a 
few were compromised. 

The researchers said unnamed threat actors engaged in a large-scale attack 
they dubbed UNK_SneakyStrike. "Several" accounts compromised 

In this campaign, the attackers used a legitimate pentesting tool called 
TeamFiltration. 

This tool was created by a threat researcher in early 2021 and publicly 
released at DefCon30. It helps automate several tactics, techniques, and 
procedures (TTPs) used in modern ATO attack chains. 

As with many security tools that are originally created and released for 
legitimate uses, such as penetration testing and risk evaluation, 
TeamFiltration was also leveraged in malicious activity, Proofpoint 
explained. 

The researchers said the campaign most likely started in December 2024. By 
abusing Microsoft Teams API and Amazon Web Services (AWS) servers located 
around the world, they were able to launch user-enumeration and 
password-spraying attacks, targeting some 80,000 user accounts across roughly 
100 cloud tenants. 

The three primary source geographies from which the attacks originated 
include the United States (42%), Ireland (11%), and Great Britain (8%). 

Proofpoint said that in several cases, the attackers managed to take over the 
accounts, accessing valuable information in Microsoft Teams, OneDrive, 
Outlook, and other productivity tools. 

There was no attribution, so we dont know if any organized threat actor sits 
behind this campaign. The researchers focused mostly on the use of legitimate 
tools for illegitimate purposes, saying they can easily be weaponized in an 
attempt to compromise user accounts, exfiltrate sensitive data, and establish 
persistent footholds. 

Proofpoint anticipates that threat actors will increasingly adopt advanced 
intrusion tools and platforms, such as TeamFiltration, as they pivot away 
from less effective intrusion methods. You might also like Massive botnet is 
targeting Microsoft 365 accounts across the world Take a look at our guide to 
the best authenticator app We've rounded up the best password managers



======================================================================
Link to news story:
https://www.techradar.com/pro/security/over-80-000-microsoft-entra-id-accounts
-hit-by-password-spraying-attacks


--- Mystic BBS v1.12 A47 (Linux/64)
 * Origin: tqwNet Technology News (1337:1/100)

.