Microsoft 365: TeamFiltration Vs MFA

TeamFiltration Vs MFA

TeamFiltration is a Microsoft 365 exploitation and post-exploitation framework which was publicly released on in August 2022 after it was presented at DEF CON 30. TeamFiltration allows penetration testers (and adversaries) to identify valid username and password combinations through enumeration and password spraying, which can then be used for account access and data exfiltration.

With a set of valid credentials, TeamFiltration is capable of exfiltrating all data available via the Teams, Outlook, OneDrive and Graph APIs.

According to the tool's wiki, one feature is that if it detects Multi-Factor Authentication (MFA), it will try and bypass it...  That's pretty cool if you're a penetration tester, but its also pretty scary. So I set out to test the circumstances in which MFA could be bypassed and how you can protect user data from TeamFiltration. 

The goal: To confirm which implementations of MFA in Azure AD are sufficient to protect against the TeamFiltration Exfil module's MFA bypass capabilities, should a user's credentials have been compromised.

The MFA implementations to be tested: No MFA, Conditional Access Policy, Per-User MFA and Security Defaults.


I began by creating some different users, each of which with a different MFA status:

Once created, I used the accounts to send an email with an attachment, send a file via Teams and upload a file to OneDrive.

Then, I downloaded TeamFiltration from GitHub to my 'attacker machine'. As I was only testing the MFA-bypass element of TeamFiltration, I only used the 'Exfil' module, I left the configuration file alone and added the username and password for my 4 test accounts 1 at a time. My command syntax looked like:

TeamFiltration.exe --outpath .\Database --config .\config.json --exfil --all --username testaccount1@test-domain[.]com --password Password123!


1.1. No MFA (Exfiltration - Success)

(Per-User Multi-Factor Authentication Status = Disabled)

As to be expected, when TeamFiltration was fed the correct username and password for the account with no MFA, it was able to log in to the account and exfiltrate the user's Emails, OneDrive files, Teams chat logs (and attachments) whilst also extracting the username's of all other users in the tenant.

Useful as an example of what can be exfiltrated though.

1.2. User-added MFA (Exfiltration - Success)

(Per-User Multi-Factor Authentication Status = Disabled)

After the first test for the no MFA account, I added a multifactor authentication device to the account (as if the user had done so themselves) in the Security info section of the "My Sign-Ins" portal.

Adding MFA as a sign-in method in this way had no effect on TeamFiltration's ability to exfiltrate data and the same files and emails were downloaded to my 'attack machine'.

2.1. Conditional Access Policy MFA Account (Exfiltration - Fail)

(Conditional Access Policy applied to = All Cloud Apps)

In my testing, I configured the Conditional Access Policy to require MFA for 'All cloud apps'.

In my testing, so long as the Conditional Access Policy was configured to require MFA for 'All cloud apps', TeamFiltration was unable to bypass it. When executed with a correct username and password combination for the user, TeamFiltration produced an output indicating it was unable to access anything, also giving the friendly notice:

Not able to bypass the conditional access policy :(

2.2. Conditional Access Policy MFA Account (Exfiltration - Partial Success)

(Conditional Access Policy applied to = Office 365)

I experimented with Conditional Access Policy to see what could be exfiltrated when 'All cloud apps' was not selected. In one such experiment I amended the Conditional Access Policy to cover just 'Office 365' apps.

In my testing, this protected against the exfiltration of Outlook, Teams and OneDrive data despite. However, TeamFiltration was still able to enumerate all Azure AD usernames using the Graph API.

3. Per-User MFA (Exfiltration - Fail)

(Per-User Multi-Factor Authentication Status = Enabled or Enforced)

In my testing, TeamFiltration was unable to bypass Per-User MFA when it was 'Enabled' or 'Enforced'.

Not able to bypass the conditional access policy :(

4. Security Defaults (Exfiltration - Success)

(Per-User Multi-Factor Authentication Status = Disabled)

As Security Defaults is often used as a replacement for Conditional Access Policy by smaller organisations, I removed the Conditional Access Policy I had created previously and instead turned on Security Defaults.

In my testing, TeamFiltration was able to bypass Security Defaults as if no MFA was in place at all. Emails, chats, files and Azure AD users were all exfiltratable.

*Note however, that for users with 'enabled' or 'enforced' Per-User MFA in a tenant with Security Defaults enabled, TeamFiltration was still unable to exfiltrate any data.*


TeamFiltration's MFA bypass capability hinges on its ability to acquire valid access tokens or credentials and then subsequently use them to access parts of an Azure AD tenant not protected by MFA. There are also multiple ways in which MFA can be applied in an Azure AD tenant, so I set out to demystify how implementation of MFA can differ and which implementations of MFA could sufficiently protect against TeamFiltration and which could not. The summary of my experimentation is below:

If you use Conditional Access Policy - Ensure it covers 'All cloud apps'. In my experimentation, the level of protection provided by Conditional Access Policy was of course linked to which cloud applications were set to require MFA. One of my key findings was that simply protecting 'Office 365' was not enough to prevent the exfiltration of all Azure AD usernames. So if you are using Conditional Access Policy, ensure it covers 'All cloud apps'. By not covering 'All cloud apps' you risk exposing APIs to TeamFiltration which can be used to exfiltrate data. In my second Conditional Access Policy experiment, by selecting 'Office 365' as the included apps, I exposed the Graph API which could be used to exfiltrate Azure AD usernames.

If you use Security Defaults - Upgrade to Conditional Access Policy or use Per-User MFA. In my experimentation, MFA implemented with Security Defaults was insufficient and TeamFiltration could get round it as if it wasn't in place at all. This is because when MFA is implemented through Security Defaults, Azure AD decides when a user will be prompted for MFA based on factors such as location, device, role and task. In my experimentation I attacked a non-admin user from the same country as the user's last login, so Azure didn't seem to prompt TeamFiltration for MFA. As attackers can spoof location trivially, as we've seen in this experiment, Security Defaults is unlikely to provide the protection you need. If you have a Azure AD  Premium P1 or P2 licence, you can use Conditional Access Policy, but if this isn't an option for your organisation I suggest that you leave Security Defaults enabled (to protect against another MFA bypass technique by blocking legacy authentication) but bolster your defences by enabling or enforcing Per-User MFA.

If you use Per-User MFA - Ensure all users have an Enabled or Enforced status. In my experimentation, both 'Enabled' and 'Enforced' Per-User MFA statuses were sufficient to protect against TeamFiltration's exfiltration module should the user's credentials be compromised... This is because when Per-User MFA is Enabled (or Enforced) for a user, MFA must be completed each time they sign in (except when signing in from a trusted IP addresses or when the 'remember MFA on trusted devices' feature is turned on).  In my experimentation, this Per-User protection was still afforded when Security Defaults was enabled. Note that Enabled should be a temporary MFA status and that on the successful registering of MFA, they will automatically be switched to Enforced. You can skip straight to Enforced, but beware the user might experience loss of connections if using legacy authentication protocols. 

Whatever you use - Ensure you have a strong password policy. MFA bypass techniques are becoming increasingly prevalent as the use of MFA continues to rise in organisations. In 2022, every Business Email Compromise (BEC) I responded to utilised an MFA bypass technique of some sort, be it Adversary-in-The-Middle, use of legacy authentication or even adding their own Authenticator applications. MFA, when properly implemented of course provides a degree of protection, however it is no substitute for implementing a strong password policy. That however is a topic for another day...

*Congrats if you made it this far! If you did, you may like to know that in a previous blog I analysed common spraying tools (including TeamFiltration) to document what they look like in Microsoft 365 logging*

Published February 2023.