FlagThis - #proofpoint

A new account takeover (ATO) campaign, dubbed UNK_SneakyStrike, is actively targeting Microsoft Entra ID user accounts. Cybersecurity researchers at Proofpoint have identified that the campaign is leveraging the TeamFiltration pentesting framework to breach accounts. The activity has been ongoing since December 2024, with a surge in login attempts impacting over 80,000 user accounts across hundreds of organizations' cloud tenants. This poses a significant threat to cloud security, as successful account takeovers can lead to data exfiltration and further malicious activities.

The attackers are leveraging the TeamFiltration framework to identify valid user accounts and use password-spraying techniques to gain access. They have been observed utilizing Microsoft Teams API and Amazon Web Services (AWS) servers from various geographic locations to carry out user enumeration and password-spraying attacks. Once an account is compromised, the attackers are able to access sensitive data and potentially upload malicious files to the target user's OneDrive. This campaign demonstrates how legitimate pentesting tools can be exploited for malicious purposes, highlighting the need for robust security measures.

Organizations are advised to monitor for indicators of compromise related to the UNK_SneakyStrike campaign. According to researchers, unauthorized access attempts tend to occur in concentrated bursts targeting a wide range of users within a single cloud environment. This is followed by quiet periods. The attackers appear to be attempting to access all user accounts within smaller cloud tenants while focusing on a subset of users in larger ones. Defenders are urged to check if any of their organization's accounts have been compromised and implement stronger authentication measures to prevent future account takeovers.


References :

• Virus Bulletin: Proofpoint threat researchers have recently uncovered an active account takeover (ATO) campaign, tracked as UNK_SneakyStrike, using the TeamFiltration pentesting framework to target Entra ID user accounts.
• The Hacker News: Over 80,000 Microsoft Entra ID Accounts Targeted Using Open-Source TeamFiltration Tool
• Help Net Security: Researchers warn of ongoing Entra ID account takeover campaign
• ciso2ciso.com: Over 80,000 Microsoft Entra ID Accounts Targeted Using Open-Source TeamFiltration Tool – Source:thehackernews.com
• www.helpnetsecurity.com: Researchers warn of ongoing Entra ID account takeover campaign
• Proofpoint Threat Insight: Attackers Unleash TeamFiltration Account Takeover Campaign
• BleepingComputer: Password-spraying attacks target 80,000 Microsoft Entra ID accounts
• Techzine Global: Cybercriminals are using the TeamFiltration pentesting tool in a large-scale campaign targeting Office 365 accounts. The attacks, attributed to UNK_SneakyStrike, have so far targeted more than 80,000 user accounts.
• www.scworld.com: TeamFiltration pentesting tool harnessed in global Microsoft Entra ID attack campaign
• bsky.app: Reported UNK_SneakyStrike campaigns have leveraged TeamFiltration which can steal the victim’s Cookies, Password, History, Bookmarks and AutoFill data.
• sra.io: UNK_SneakyStrike weaponizes TeamFiltration tool targeting 80K+ Entra ID accounts via AWS infrastructure. #AccountTakeover #Microsoft365 #AWS The post appeared first on .
• Security Risk Advisors: UNK_SneakyStrike Campaign Weaponizes TeamFiltration Tool to Target 80,000 Entra ID Accounts

Classification:

• HashTags: #AccountTakeover #EntraID #Cybersecurity
• Company: Microsoft
• Target: Microsoft Entra ID Users
• Attacker: Proofpoint
• Product: Entra ID
• Feature: account takeover
• Malware: TeamFiltration
• Type: Hack
• Severity: Major