TeamFiltration User-Agents Detected

  1[metadata]
  2creation_date = "2025/07/02"
  3integration = ["azure", "o365"]
  4maturity = "production"
  5updated_date = "2025/07/02"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies potential enumeration or password spraying activity using TeamFiltration tool. TeamFiltration is an
 11open-source enumeration, password spraying and exfiltration tool designed for Entra ID and Microsoft 365. Adversaries
 12are known to use TeamFiltration in-the-wild to enumerate users, groups, and roles, as well as to perform password
 13spraying attacks against Microsoft Entra ID and Microsoft 365 accounts. This rule detects the use of TeamFiltration by
 14monitoring for specific user-agent strings associated with the tool in Azure and Microsoft 365 logs.
 15"""
 16false_positives = [
 17    """
 18    Legitimate administrative or security assessment activities may use these user-agents, especially in environments
 19    where TeamFiltration is employed for authorized audits. If this is expected behavior, consider adjusting the rule or
 20    adding exceptions for specific user-agents or IP addresses.
 21    """,
 22    """
 23    Expected red team assessments or penetration tests may utilize TeamFiltration to evaluate the security posture of
 24    Azure or Microsoft 365 environments. If this is expected behavior, consider adjusting the rule or adding exceptions
 25    for specific IP addresses, registered applications, JWT tokens, PRTs or user
 26    """,
 27]
 28from = "now-9m"
 29index = ["filebeat-*", "logs-azure.signinlogs-*", "logs-o365.audit-*"]
 30language = "kuery"
 31license = "Elastic License v2"
 32name = "TeamFiltration User-Agents Detected"
 33note = """## Triage and analysis
 34
 35Identifies potential enumeration or password spraying activity using TeamFiltration tool. TeamFiltration is an open-source enumeration, password spraying and exfiltration tool designed for Entra ID and Microsoft 365. Adversaries are known to use TeamFiltration in-the-wild to enumerate users, groups, and roles, as well as to perform password spraying attacks against Microsoft Entra ID and Microsoft 365 accounts. This rule detects the use of TeamFiltration by monitoring for specific user-agent strings associated with the tool in Azure and Microsoft 365 logs.
 36
 37The detection is based on TeamFiltration's hardcoded user agent string and/or the use of `Electron` by monitoring multiple log sources, including:
 38
 39- Azure Graph API Activity Logs
 40- Microsoft 365 Audit Logs
 41- Entra ID Sign-in Logs
 42- Entra ID Audit Logs
 43- Azure Activity Logs
 44
 45### Possible investigation steps
 46
 47- Confirm the tool used via `user_agent.original`.
 48- Identify the `user.id`, `user.name`, or `azure.signinlogs.properties.user_principal_name` fields to determine which identity executed the API requests or sign-in attempts.
 49- Review `app_id`, `app_display_name`, or `client_id` to identify the application context (e.g., Azure CLI, Graph Explorer, unauthorized app). TeamFiltration uses a list of FOCI compliant applications to perform enumeration and password spraying. TeamFiltration uses Microsoft Teams client ID `1fec8e78-bce4-4aaf-ab1b-5451cc387264` for enumeration.
 50- Check `http.request.method`, `http.response.status_code`, and `event.action` for enumeration patterns (many successful GETs in a short period) if Graph API activity logs.
 51- Investigate correlated sign-ins (`azure.signinlogs`) by the same user, IP, or app immediately preceding the API calls. Was MFA used? Is the location suspicious?
 52- Review `source.ip` or `client.geo.*` fields to determine the origin of the requests. Flag unexpected IPs or ISPs. Check the for the use of several source addresses originating from Amazon ASNs (e.g., `AS16509`, `AS14618`, `AS14618`) which are commonly used by TeamFiltration as it proxies requests through FireProx and Amazon API Gateway.
 53- If the event originates in M365 Audit Logs, investigate cross-service activity: Exchange Online, Teams, SharePoint, or role escalations via Unified Audit.
 54
 55### False positive analysis
 56
 57- This activity may be benign if performed by red teams, internal security auditors, or known security tools under authorization.
 58
 59### Response and remediation
 60
 61- If confirmed malicious:
 62    - Identify successful sign-in attempts or API calls made by the user or app.
 63    - Revoke active sessions or tokens associated with the identified user/app.
 64    - Disable the account or rotate credentials immediately.
 65    - Review the role assignments (`Directory.Read.All`, `AuditLog.Read.All`, `Directory.AccessAsUser.All`) and remove excessive privileges.
 66    - Conduct historical analysis to determine how long enumeration has been occurring and what objects were queried.
 67    - Enable Conditional Access policies to require MFA for API and CLI-based access.
 68    - Validate audit logging and alerting is enabled across Microsoft Graph, Azure Activity Logs, and M365 workloads.
 69
 70- If legitimate:
 71    - Document the source or user (e.g., red team operation, security tool).
 72    - Add appropriate allowlist conditions for service principal, user, source address or device if policy allows.
 73
 74"""
 75references = [
 76    "https://www.proofpoint.com/us/blog/threat-insight/attackers-unleash-teamfiltration-account-takeover-campaign",
 77    "https://github.com/Flangvik/TeamFiltration",
 78]
 79risk_score = 47
 80rule_id = "f541ca3a-5752-11f0-b44b-f661ea17fbcd"
 81severity = "medium"
 82tags = [
 83    "Domain: Cloud",
 84    "Data Source: Azure",
 85    "Data Source: Microsoft 365",
 86    "Data Source: Microsoft 365 Audit Logs",
 87    "Data Source: Microsoft Entra ID",
 88    "Data Source: Microsoft Entra ID Sign-in Logs",
 89    "Use Case: Identity and Access Audit",
 90    "Use Case: Threat Detection",
 91    "Tactic: Discovery",
 92    "Resources: Investigation Guide",
 93]
 94timestamp_override = "event.ingested"
 95type = "query"
 96
 97query = '''
 98event.dataset:("azure.signinlogs" or "o365.audit")
 99    and ((user_agent.name:"Electron" and user_agent.os.name:"Windows" and user_agent.version:"8.5.1") or
100    user_agent.original:"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Teams/1.3.00.30866 Chrome/80.0.3987.165 Electron/8.5.1 Safari/537.36")
101'''
102
103
104[[rule.threat]]
105framework = "MITRE ATT&CK"
106[[rule.threat.technique]]
107id = "T1069"
108name = "Permission Groups Discovery"
109reference = "https://attack.mitre.org/techniques/T1069/"
110[[rule.threat.technique.subtechnique]]
111id = "T1069.003"
112name = "Cloud Groups"
113reference = "https://attack.mitre.org/techniques/T1069/003/"
114
115
116[[rule.threat.technique]]
117id = "T1082"
118name = "System Information Discovery"
119reference = "https://attack.mitre.org/techniques/T1082/"
120
121[[rule.threat.technique]]
122id = "T1087"
123name = "Account Discovery"
124reference = "https://attack.mitre.org/techniques/T1087/"
125[[rule.threat.technique.subtechnique]]
126id = "T1087.004"
127name = "Cloud Account"
128reference = "https://attack.mitre.org/techniques/T1087/004/"
129
130
131[[rule.threat.technique]]
132id = "T1201"
133name = "Password Policy Discovery"
134reference = "https://attack.mitre.org/techniques/T1201/"
135
136[[rule.threat.technique]]
137id = "T1526"
138name = "Cloud Service Discovery"
139reference = "https://attack.mitre.org/techniques/T1526/"
140
141[[rule.threat.technique]]
142id = "T1580"
143name = "Cloud Infrastructure Discovery"
144reference = "https://attack.mitre.org/techniques/T1580/"
145
146[[rule.threat.technique]]
147id = "T1673"
148name = "Virtual Machine Discovery"
149reference = "https://attack.mitre.org/techniques/T1673/"
150
151
152[rule.threat.tactic]
153id = "TA0007"
154name = "Discovery"
155reference = "https://attack.mitre.org/tactics/TA0007/"
156[[rule.threat]]
157framework = "MITRE ATT&CK"
158[[rule.threat.technique]]
159id = "T1110"
160name = "Brute Force"
161reference = "https://attack.mitre.org/techniques/T1110/"
162[[rule.threat.technique.subtechnique]]
163id = "T1110.003"
164name = "Password Spraying"
165reference = "https://attack.mitre.org/techniques/T1110/003/"
166
167
168
169[rule.threat.tactic]
170id = "TA0006"
171name = "Credential Access"
172reference = "https://attack.mitre.org/tactics/TA0006/"