<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Teamfiltration - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/teamfiltration/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/teamfiltration/feed.xml" rel="self" type="application/rss+xml"/><item><title>TeamFiltration Tool User-Agent Detected in Entra ID Sign-ins</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-teamfiltration-user-agent/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-teamfiltration-user-agent/</guid><description>The TeamFiltration tool, used for Entra ID and Microsoft 365 enumeration and password spraying, is detected via specific user-agent strings in sign-in logs.</description><content:encoded><![CDATA[<p>The TeamFiltration tool is an open-source utility designed for enumeration, password spraying, and exfiltration within Entra ID and Microsoft 365 environments. Active threat actors leverage TeamFiltration to discover users, groups, and roles, and to execute password spraying attacks targeting Microsoft Entra ID and Microsoft 365 accounts. This detection focuses on identifying TeamFiltration usage by monitoring for its specific user-agent strings within Azure and Microsoft 365 sign-in logs. This activity began being tracked in July 2025. TeamFiltration uses a list of FOCI compliant applications to perform enumeration and password spraying. TeamFiltration uses Microsoft Teams client ID <code>1fec8e78-bce4-4aaf-ab1b-5451cc387264</code> for enumeration.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Initial Access: The attacker gains initial access or leverages existing compromised credentials.</li>
<li>Tool Execution: The attacker executes the TeamFiltration tool on a compromised system or from a cloud-based instance.</li>
<li>Enumeration: TeamFiltration uses the Microsoft Teams client ID <code>1fec8e78-bce4-4aaf-ab1b-5451cc387264</code> to enumerate users, groups, and roles within the target Entra ID/M365 environment using Graph API requests.</li>
<li>Password Spraying: The tool performs password spraying attacks against enumerated user accounts.</li>
<li>Credential Access: If successful, the attacker gains access to user accounts.</li>
<li>Privilege Escalation: The attacker attempts to escalate privileges within the environment leveraging the compromised accounts.</li>
<li>Lateral Movement: Using compromised accounts, the attacker attempts lateral movement to gain access to additional resources.</li>
<li>Data Exfiltration: If successful in gaining access to sensitive data, the attacker exfiltrates the data.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful attacks using TeamFiltration can result in widespread unauthorized access to sensitive data within Microsoft Entra ID and Microsoft 365 environments. This can lead to data breaches, financial loss, and reputational damage. The tool is actively used in account takeover campaigns and can affect organizations of any size that utilize Entra ID and M365 services.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Entra ID Sign-in TeamFiltration User-Agent Detected</code> to your SIEM to detect the use of TeamFiltration based on user-agent strings.</li>
<li>Monitor Azure and Microsoft 365 sign-in logs for user agents matching those used by TeamFiltration, as indicated in the rule above (logsource: <code>azure.signinlogs</code> or <code>o365.audit</code>).</li>
<li>Investigate any sign-in events matching the TeamFiltration user-agent, paying close attention to the source IP addresses and user accounts involved.</li>
<li>Enable Conditional Access policies to require MFA for API and CLI-based access to mitigate password spraying attacks.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>azure</category><category>o365</category><category>teamfiltration</category><category>credential-access</category></item></channel></rss>