Jun 12, 2025Ravie LakshmananEnterprise Safety / Lively Listing
Cybersecurity researchers have uncovered a brand new account takeover (ATO) marketing campaign that leverages an open-source penetration testing framework known as TeamFiltration to breach Microsoft Entra ID (previously Azure Lively Listing) person accounts.
The exercise, codenamed UNK_SneakyStrike by Proofpoint, has affected over 80,000 focused person accounts throughout tons of of organizations’ cloud tenants since a surge in login makes an attempt was noticed in December 2024, resulting in profitable account takeovers.
“Attackers leverage Microsoft Groups API and Amazon Net Providers (AWS) servers positioned in varied geographical areas to launch user-enumeration and password-spraying makes an attempt,” the enterprise safety firm stated. “Attackers exploited entry to particular sources and native purposes, corresponding to Microsoft Groups, OneDrive, Outlook, and others.”
TeamFiltration, publicly launched by researcher Melvin “Flangvik” Langvik, in August 2022 on the DEF CON safety convention, is described as a cross-platform framework for “enumerating, spraying, exfiltrating, and backdooring” Entra ID accounts.
The software presents intensive capabilities to facilitate account takeover utilizing password spraying assaults, information exfiltration, and protracted entry by importing malicious recordsdata to the goal’s Microsoft OneDrive account.
Whereas the software requires an Amazon Net Providers (AWS) account and a disposable Microsoft 365 account to facilitate password spraying and account enumeration features, Proofpoint stated it noticed proof of malicious exercise leveraging TeamFiltration to conduct these actions such that every password spraying wave originates from a unique server in a brand new geographic location.
The three major supply geographies linked to malicious exercise primarily based on the variety of IP addresses embrace the USA (42%), Eire (11%), and Nice Britain (8%).
The UNK_SneakyStrike exercise has been described as “large-scale person enumeration and password spraying makes an attempt,” with the unauthorized entry efforts occurring in “extremely concentrated bursts” focusing on a number of customers inside a single cloud setting. That is adopted by a lull that lasts for 4 to 5 days.
The findings as soon as once more spotlight how instruments designed to help cybersecurity professionals could be misused by risk actors to hold out a variety of nefarious actions that enable them to breach person accounts, harvest delicate information, and set up persistent footholds.
“UNK_SneakyStrike’s focusing on technique suggests they try to entry all person accounts inside smaller cloud tenants whereas focusing solely on a subset of customers in bigger tenants,” Proofpoint stated. “This behaviour matches the software’s superior goal acquisition options, designed to filter out much less fascinating accounts.”
Discovered this text attention-grabbing? Comply with us on Twitter and LinkedIn to learn extra unique content material we put up.
