In a concerning development for enterprise cybersecurity, researchers have uncovered a sophisticated account takeover (ATO) campaign targeting Microsoft Entra ID users, which has affected more than 80,000 accounts across various organizations. The campaign, dubbed UNK_SneakyStrike by Proofpoint, utilizes an open-source tool known as TeamFiltration, designed for penetration testing, to execute its attacks.
The campaign reportedly began with a noticeable increase in login attempts in December 2024, leading to effective account takeovers. Attackers employ the Microsoft Teams API and utilize Amazon Web Services servers across multiple regions to carry out user enumeration and password spraying attacks. This strategy allows them to exploit access to essential applications like Microsoft Teams, OneDrive, and Outlook, increasing their chances of compromising user accounts.
Developed by Melvin “Flangvik” Langvik and released in August 2022, TeamFiltration serves a dual purpose: it is a legitimate tool for security professionals and also a means for cybercriminals to violate security protocols. The tool’s capabilities extend to data exfiltration and maintaining persistent access via malicious uploads to user accounts. According to Proofpoint, the recent attacks suggest a strategic focus on smaller cloud tenants for full-scale attempts, while selectively targeting higher-value users within larger organizations.
The geographical distribution of malicious activity shows a significant presence in the United States (42%), followed by Ireland (11%) and Great Britain (8%). The attack patterns consist of highly concentrated attempts interspersed with periods of inactivity, demonstrating a calculated approach to maintain stealth while executing their operations.
As cybersecurity environments continue to evolve, the incident reinforces the importance of vigilance against the misuse of tools initially intended for constructive purposes. It serves as a critical reminder for organizations to enhance their security measures and remain proactive in protecting their digital assets.