Former affiliates of the Black Basta ransomware group have resumed cyberattacks in 2025 by leveraging Microsoft Teams phishing combined with Python scripts to covertly hijack networks. Approximately half of these attacks originate from legitimate-looking Microsoft domains, complicating detection by security teams. A recent campaign targeted over 80,000 Microsoft Entra ID accounts using an open-source tool called TeamFiltration. Attackers exploited the Microsoft Teams API and Amazon Web Services (AWS) servers globally to conduct password spraying, data exfiltration, and establish persistent access within compromised systems. Additionally, ransomware groups have been exploiting unpatched vulnerabilities in the remote access software SimpleHelp to carry out double extortion attacks on victims. The ongoing abuse of TeamFiltration for Entra ID account takeovers has been highlighted by cybersecurity sources.