Skip to content
Threat Feed
medium advisory

TeamFiltration Tool User-Agent Detected in Entra ID Sign-ins

The TeamFiltration tool, used for Entra ID and Microsoft 365 enumeration and password spraying, is detected via specific user-agent strings in sign-in logs.

The TeamFiltration tool is an open-source utility designed for enumeration, password spraying, and exfiltration within Entra ID and Microsoft 365 environments. Active threat actors leverage TeamFiltration to discover users, groups, and roles, and to execute password spraying attacks targeting Microsoft Entra ID and Microsoft 365 accounts. This detection focuses on identifying TeamFiltration usage by monitoring for its specific user-agent strings within Azure and Microsoft 365 sign-in logs. This activity began being tracked in July 2025. TeamFiltration uses a list of FOCI compliant applications to perform enumeration and password spraying. TeamFiltration uses Microsoft Teams client ID 1fec8e78-bce4-4aaf-ab1b-5451cc387264 for enumeration.

Attack Chain

  1. Initial Access: The attacker gains initial access or leverages existing compromised credentials.
  2. Tool Execution: The attacker executes the TeamFiltration tool on a compromised system or from a cloud-based instance.
  3. Enumeration: TeamFiltration uses the Microsoft Teams client ID 1fec8e78-bce4-4aaf-ab1b-5451cc387264 to enumerate users, groups, and roles within the target Entra ID/M365 environment using Graph API requests.
  4. Password Spraying: The tool performs password spraying attacks against enumerated user accounts.
  5. Credential Access: If successful, the attacker gains access to user accounts.
  6. Privilege Escalation: The attacker attempts to escalate privileges within the environment leveraging the compromised accounts.
  7. Lateral Movement: Using compromised accounts, the attacker attempts lateral movement to gain access to additional resources.
  8. Data Exfiltration: If successful in gaining access to sensitive data, the attacker exfiltrates the data.

Impact

Successful attacks using TeamFiltration can result in widespread unauthorized access to sensitive data within Microsoft Entra ID and Microsoft 365 environments. This can lead to data breaches, financial loss, and reputational damage. The tool is actively used in account takeover campaigns and can affect organizations of any size that utilize Entra ID and M365 services.

Recommendation

  • Deploy the Sigma rule Entra ID Sign-in TeamFiltration User-Agent Detected to your SIEM to detect the use of TeamFiltration based on user-agent strings.
  • Monitor Azure and Microsoft 365 sign-in logs for user agents matching those used by TeamFiltration, as indicated in the rule above (logsource: azure.signinlogs or o365.audit).
  • Investigate any sign-in events matching the TeamFiltration user-agent, paying close attention to the source IP addresses and user accounts involved.
  • Enable Conditional Access policies to require MFA for API and CLI-based access to mitigate password spraying attacks.

Detection coverage 2

Entra ID Sign-in TeamFiltration User-Agent Detected

medium

Detects sign-in attempts using the TeamFiltration tool based on the user-agent string.

sigma tactics: credential_access, discovery techniques: T1069.003, T1110.003 sources: network_connection, azure

Entra ID Sign-in TeamFiltration Electron User-Agent Detected

medium

Detects sign-in attempts using TeamFiltration tool via electron user-agent in Azure signin logs.

sigma tactics: credential_access, discovery techniques: T1069.003, T1110.003 sources: network_connection, azure

Detection queries are available on the platform. Get full rules →

Indicators of compromise

1

domain

TypeValue
domaingithub.com