Cybercriminals are using the TeamFiltration pentesting tool in a large-scale campaign targeting Office 365 accounts. The attacks, attributed to UNK_SneakyStrike, have so far targeted more than 80,000 user accounts.
Since December last year, attacks have been executed on about 100 cloud tenants. The pattern shows concentrated bursts of activity, followed by quiet periods of four to five days. In smaller organizations, attackers try to gain access to all user accounts. In larger companies, they typically target a select group.
The attacks use AWS infrastructure spread across multiple regions. The United States (42 percent), Ireland (11 percent), and the United Kingdom (8 percent) are the main source locations. TeamFiltration requires an AWS account and a “sacrificial” Office 365 account for the enumeration feature to work.
From pentesting to malicious activity
Security researchers at Proofpoint are seeing a sharp increase in the misuse of TeamFiltration. The tool, originally developed for legitimate penetration testing, is now being used for large-scale account takeover campaigns. TeamFiltration offers attackers capabilities for account enumeration, password spraying, and data extraction from Office 365 environments.
The tool can also create a “backdoor” via OneDrive. This allows attackers to replace existing files with malware-filled alternatives. This enables them to maintain persistent access and move further through networks.
Unique features enable detection
Proofpoint identified TeamFiltration activity through a specific user agent used by the tool. This user agent simulates an outdated version of Microsoft Teams and is rarely found in legitimate environments. This makes it a reliable indicator of abuse.
In addition, researchers found that TeamFiltration attempts to access applications that are incompatible with the device on which it is running. This peculiarity indicates user agent spoofing. The tool also uses a predefined list of Microsoft OAuth client applications. This list largely corresponds to previous investigations into so-called family refresh tokens.
Tip: Cybercriminals are paying pentesters to vet their ransomware