Cybersecurity researchers have discovered a new account Takeover (ATO) campaign that leverages an open source penetration testing framework called TeamFiltration that violates Microsoft Entra ID (formerly Azure Active Directory) user accounts.
Activity, codename unk_sneakystrike According to Proofpoint, since a surge in login attempts was observed in December 2024, it has targeted more than 80,000 user accounts across hundreds of organizations’ cloud tenants, and has successfully acquired the account.
“Attackers will launch attempts to leverage Microsoft Teams APIs and Amazon Web Services (AWS) servers in various geographical regions to spray user approvals and passwords,” Enterprise Security Company said. “The attackers used access to certain resources and native applications, such as Microsoft Teams, OneDrive, and Outlook.”
TeamFiltration, published by researcher Melvin “Franvik” Langvik at the DEF CON Security Conference in August 2022, is described as a cross-platform framework for Entra ID accounts for “enumeration, spray, exfoliation, backdooring.”
The tool offers a wide range of features to promote account takeover using password spray attacks, data removal, and permanent access by uploading malicious files to the target Microsoft OneDrive account.
The tool requires an Amazon Web Services (AWS) account and a disposable Microsoft 365 account to promote password spray and account enumeration capabilities, but ProofPoint said it has leveraged these activities to observe evidence of malicious activity to leverage these activities so that each password spray wave comes from another server in a new geographical location.
Three major source regions linked to malicious activity based on the number of IP addresses include the US (42%), Ireland (11%), and the UK (8%).
UNK_SNeakyStrike activity is known as “large user enumeration and password spray attempts,” and leads to unauthorized access efforts with “high bursts” targeting multiple users within a single cloud environment. This is followed by a lull that lasts for 4-5 days.
The findings once again highlight how tools designed to assist cybersecurity experts can be misused by threat actions.
“UNK_SNeakyStrike’s targeting strategy suggests that we try to access all user accounts within a small cloud tenant, focusing only on a subset of users in the larger tenant,” ProofPoint said. “This behavior matches the advanced targeting capabilities of tools designed to exclude unwanted accounts.”
