{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/teamfiltration/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Microsoft Entra ID","Microsoft 365","Microsoft Teams"],"_cs_severities":["medium"],"_cs_tags":["azure","o365","teamfiltration","credential-access"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe TeamFiltration tool is an open-source utility designed for enumeration, password spraying, and exfiltration within Entra ID and Microsoft 365 environments. Active threat actors leverage TeamFiltration to discover users, groups, and roles, and to execute password spraying attacks targeting Microsoft Entra ID and Microsoft 365 accounts. This detection focuses on identifying TeamFiltration usage by monitoring for its specific user-agent strings within Azure and Microsoft 365 sign-in logs. This activity began being tracked in July 2025. TeamFiltration uses a list of FOCI compliant applications to perform enumeration and password spraying. TeamFiltration uses Microsoft Teams client ID \u003ccode\u003e1fec8e78-bce4-4aaf-ab1b-5451cc387264\u003c/code\u003e for enumeration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: The attacker gains initial access or leverages existing compromised credentials.\u003c/li\u003e\n\u003cli\u003eTool Execution: The attacker executes the TeamFiltration tool on a compromised system or from a cloud-based instance.\u003c/li\u003e\n\u003cli\u003eEnumeration: TeamFiltration uses the Microsoft Teams client ID \u003ccode\u003e1fec8e78-bce4-4aaf-ab1b-5451cc387264\u003c/code\u003e to enumerate users, groups, and roles within the target Entra ID/M365 environment using Graph API requests.\u003c/li\u003e\n\u003cli\u003ePassword Spraying: The tool performs password spraying attacks against enumerated user accounts.\u003c/li\u003e\n\u003cli\u003eCredential Access: If successful, the attacker gains access to user accounts.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The attacker attempts to escalate privileges within the environment leveraging the compromised accounts.\u003c/li\u003e\n\u003cli\u003eLateral Movement: Using compromised accounts, the attacker attempts lateral movement to gain access to additional resources.\u003c/li\u003e\n\u003cli\u003eData Exfiltration: If successful in gaining access to sensitive data, the attacker exfiltrates the data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful attacks using TeamFiltration can result in widespread unauthorized access to sensitive data within Microsoft Entra ID and Microsoft 365 environments. This can lead to data breaches, financial loss, and reputational damage. The tool is actively used in account takeover campaigns and can affect organizations of any size that utilize Entra ID and M365 services.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eEntra ID Sign-in TeamFiltration User-Agent Detected\u003c/code\u003e to your SIEM to detect the use of TeamFiltration based on user-agent strings.\u003c/li\u003e\n\u003cli\u003eMonitor Azure and Microsoft 365 sign-in logs for user agents matching those used by TeamFiltration, as indicated in the rule above (logsource: \u003ccode\u003eazure.signinlogs\u003c/code\u003e or \u003ccode\u003eo365.audit\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eInvestigate any sign-in events matching the TeamFiltration user-agent, paying close attention to the source IP addresses and user accounts involved.\u003c/li\u003e\n\u003cli\u003eEnable Conditional Access policies to require MFA for API and CLI-based access to mitigate password spraying attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-teamfiltration-user-agent/","summary":"The TeamFiltration tool, used for Entra ID and Microsoft 365 enumeration and password spraying, is detected via specific user-agent strings in sign-in logs.","title":"TeamFiltration Tool User-Agent Detected in Entra ID Sign-ins","url":"https://feed.craftedsignal.io/briefs/2024-01-03-teamfiltration-user-agent/"}],"language":"en","title":"CraftedSignal Threat Feed - Teamfiltration","version":"https://jsonfeed.org/version/1.1"}