A large-scale account takeover campaign has been targeting Entra ID users.

A threat actor started using TeamFiltration in December 2024 to target user accounts across approximately 100 cloud tenants and has successfully compromised multiple accounts to date. The campaign used a combination of Microsoft Teams API and AWS servers for password spraying in highly concentrated bursts. The investigation also uncovered a link between the attacks and a list of application IDs pre-configured in TeamFiltration.

Read more:

https://www.securityweek.com/teamfiltration-abused-in-entra-id-account-takeover-campaign/