Hackers have been using the TeamFiltration pentesting framework to target more than 80,000 Microsoft Entra ID accounts at hundreds of organizations worldwide.
The campaign started last December and has successfully hijacked multiple accounts, say researchers at cybersecurity company Proofpoint, who attribute the activity to a threat actor called UNK_SneakyStrike.
According to the researchers, the peak of the campaign happened on January 8, when it targeted 16,500 accounts in a single day. Such sharp bursts were followed by several days of inactivity.
Volume of attacks launched by UNK_SneakyStrike
Source: Proofpoint
TeamFiltration is a cross-platform framework for enumerating, spraying, exfiltrating, and backdooring O365 EntraID accounts. It was published in 2022 by TrustedSec red-team researcher Melvin Langvik.
In the UNK_SneakyStrike campaign that Proofpoint observed, TeamFiltration plays a central role in facilitating large-scale intrusion attempts.
The researchers report that the threat actor targets all users in small tenants, while in the case of larger one UNK_SneakyStrike selects only users from a subset.
"Since December 2024, UNK_SneakyStrike activity has affected over 80,000 targeted user accounts across hundreds of organizations, resulting in several cases of successful account takeover," Proofpoint explains.
The researchers linked the malicious activity to TeamFiltration after identifying a rare user agent the tool uses, as well as matching OAuth client IDs hardcoded in the tool's logic.
... continue reading