Cybersecurity researchers have uncovered a new account takeover (ATO) campaign that leverages an open-source penetration testing framework called TeamFiltration to breach Microsoft Entra ID (formerly Azure Active Directory) user accounts.
The activity, codenamed UNK_SneakyStrike by Proofpoint, has affected over 80,000 targeted user accounts across hundreds of organizations’ cloud tenants since a surge in login attempts was observed in December 2024, leading to successful account takeovers.
“Attackers leverage Microsoft Teams API and Amazon Web Services (AWS) servers located in various geographical regions to launch user-enumeration and password-spraying attempts,” the enterprise security company said. “Attackers exploited access to specific resources and native applications, such as Microsoft Teams, OneDrive, Outlook, and others.”
TeamFiltration, publicly released by researcher Melvin “Flangvik” Langvik, in August 2022 at the DEF CON security conference, is described as a cross-platform framework for “enumerating, spraying, exfiltrating, and backdooring” Entra ID accounts.
The tool offers extensive capabilities to facilitate account takeover using password spraying attacks, data exfiltration, and persistent access by uploading malicious files to the target’s Microsoft OneDrive account.
While the tool requires an Amazon Web Services (AWS) account and a disposable Microsoft 365 account to facilitate password spraying and account enumeration functions, Proofpoint said it observed evidence of malicious activity leveraging TeamFiltration to conduct these activities such that each password spraying wave originates from a different server in a new geographic location.
The three primary source geographies linked to malicious activity based on the number of IP addresses include the United States (42%), Ireland (11%), and Great Britain (8%).
The UNK_SneakyStrike activity has been described as “large-scale user enumeration and password spraying attempts,” with the unauthorized access efforts occurring in “highly concentrated bursts” targeting several users within a single cloud environment. This is followed by a lull that lasts for four to five days.
The findings once again highlight how tools designed to assist cybersecurity professionals can be misused by threat actors to carry out a wide range of nefarious actions that allow them to breach user accounts, harvest sensitive data, and establish persistent footholds.
“UNK_SneakyStrike’s targeting strategy suggests they attempt to access all user accounts within smaller cloud tenants while focusing only on a subset of users in larger tenants,” Proofpoint said. “This behaviour matches the tool’s advanced target acquisition features, designed to filter out less desirable accounts.”
