CyberSecurity news

FlagThis - #proofpoint

info@thehackernews.com (The@The Hacker News //
A new account takeover (ATO) campaign, dubbed UNK_SneakyStrike, is actively targeting Microsoft Entra ID user accounts. Cybersecurity researchers at Proofpoint have identified that the campaign is leveraging the TeamFiltration pentesting framework to breach accounts. The activity has been ongoing since December 2024, with a surge in login attempts impacting over 80,000 user accounts across hundreds of organizations' cloud tenants. This poses a significant threat to cloud security, as successful account takeovers can lead to data exfiltration and further malicious activities.

The attackers are leveraging the TeamFiltration framework to identify valid user accounts and use password-spraying techniques to gain access. They have been observed utilizing Microsoft Teams API and Amazon Web Services (AWS) servers from various geographic locations to carry out user enumeration and password-spraying attacks. Once an account is compromised, the attackers are able to access sensitive data and potentially upload malicious files to the target user's OneDrive. This campaign demonstrates how legitimate pentesting tools can be exploited for malicious purposes, highlighting the need for robust security measures.

Organizations are advised to monitor for indicators of compromise related to the UNK_SneakyStrike campaign. According to researchers, unauthorized access attempts tend to occur in concentrated bursts targeting a wide range of users within a single cloud environment. This is followed by quiet periods. The attackers appear to be attempting to access all user accounts within smaller cloud tenants while focusing on a subset of users in larger ones. Defenders are urged to check if any of their organization's accounts have been compromised and implement stronger authentication measures to prevent future account takeovers.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • Virus Bulletin: Proofpoint threat researchers have recently uncovered an active account takeover (ATO) campaign, tracked as UNK_SneakyStrike, using the TeamFiltration pentesting framework to target Entra ID user accounts.
  • The Hacker News: Over 80,000 Microsoft Entra ID Accounts Targeted Using Open-Source TeamFiltration Tool
  • Help Net Security: Researchers warn of ongoing Entra ID account takeover campaign
  • ciso2ciso.com: Over 80,000 Microsoft Entra ID Accounts Targeted Using Open-Source TeamFiltration Tool – Source:thehackernews.com
  • www.helpnetsecurity.com: Researchers warn of ongoing Entra ID account takeover campaign
  • Proofpoint Threat Insight: Attackers Unleash TeamFiltration Account Takeover Campaign
  • BleepingComputer: Password-spraying attacks target 80,000 Microsoft Entra ID accounts
  • Techzine Global: Cybercriminals are using the TeamFiltration pentesting tool in a large-scale campaign targeting Office 365 accounts. The attacks, attributed to UNK_SneakyStrike, have so far targeted more than 80,000 user accounts.
  • www.scworld.com: TeamFiltration pentesting tool harnessed in global Microsoft Entra ID attack campaign
  • bsky.app: Reported UNK_SneakyStrike campaigns have leveraged TeamFiltration which can steal the victim’s Cookies, Password, History, Bookmarks and AutoFill data.
  • sra.io: UNK_SneakyStrike weaponizes TeamFiltration tool targeting 80K+ Entra ID accounts via AWS infrastructure. #AccountTakeover #Microsoft365 #AWS The post appeared first on .
  • Security Risk Advisors: UNK_SneakyStrike Campaign Weaponizes TeamFiltration Tool to Target 80,000 Entra ID Accounts
Classification:
@thehackernews.com //
North Korean state-sponsored actor Konni, also known as TA406, has been observed targeting Ukrainian government entities in intelligence collection operations. Researchers at Proofpoint uncovered phishing campaigns initiated in February 2025, where the threat group delivered both credential harvesting tools and malware. These attacks are designed to gather intelligence on the trajectory of the Russian invasion, reflecting Konni's broader pattern of cyber espionage and information gathering. The group's activities extend beyond Ukraine, as they have historically targeted government entities in Russia for strategic intelligence purposes.

The phishing emails used in the attacks often impersonate think tanks and reference important political events or military developments to lure their targets. These emails contain links to password-protected RAR archives hosted on cloud services. Once opened, these archives launch infection sequences designed to conduct extensive reconnaissance of compromised machines. A common tactic involves using CHM files displaying decoy content related to Ukrainian military figures. Clicking on the decoy content triggers the execution of a PowerShell command, downloading a next-stage PowerShell payload from an external server.

This newly launched PowerShell script is capable of gathering detailed information about the compromised system, encoding it, and sending it back to the attacker's server. In some instances, Proofpoint observed HTML files being directly distributed as attachments, instructing victims to click embedded links to download ZIP archives containing malicious files. The ultimate goal of these campaigns is to collect intelligence relevant to the conflict, potentially to support North Korea's military involvement alongside Russia in Ukraine and assess the political landscape.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • The Hacker News: The state-backed North Korean threat group Konni (Opal Sleet, TA406) was observed targeting Ukrainian government entities in intelligence collection operations.
  • BleepingComputer: The state-backed North Korean threat group Konni (Opal Sleet, TA406) was observed targeting Ukrainian government entities in intelligence collection operations.
  • BleepingComputer: The state-backed North Korean threat group Konni (Opal Sleet, TA406) was observed targeting Ukrainian government entities in intelligence collection operations.
  • securityonline.info: In a recently disclosed campaign, TA406, a North Korean state-aligned threat actor, has expanded its cyber-espionage efforts by The post appeared first on SecurityOnline.
  • securityonline.info: TA406 Cyber Campaign: North Korea’s Focus on Ukraine Intelligence
  • www.bleepingcomputer.com: North Korea ramps up cyberspying in Ukraine to assess war risk
  • Proofpoint Threat Insight: Proofpoint researchers look into campaigns by Democratic People's Republic of Korea (DPRK) state-sponsored actor TA406 that target government entities in Ukraine.
  • Virus Bulletin: Proofpoint researchers look into campaigns by Democratic People's Republic of Korea (DPRK) state-sponsored actor TA406 that target government entities in Ukraine.
  • cyberriskleaders.com: North Korean Threat Actor TA406 Targets Ukraine for Intelligence Gathering
  • iHLS: North Korean Hackers Target Ukraine to Gauge Russian Military Needs
  • BleepingComputer: The state-backed North Korean threat group Konni (Opal Sleet, TA406) was observed targeting Ukrainian government entities in intelligence collection operations.
  • bsky.app: North Korea ramps up cyberspying in Ukraine to assess war risk
  • www.csoonline.com: After helping Russia on the ground North Korea targets Ukraine with cyberespionage
Classification: