Cybersecurity researchers have uncovered a new account takeover (ATO) campaign that leverages an open-source penetration testing framework called TeamFiltration to breach Microsoft Entra ID (formerly Azure Active Directory) user accounts.
The activity, codenamed UNK_SneakyStrike by Proofpoint, has targeted over 80,000 user accounts across hundreds of organizations' cloud tenants since a surge in login attempts was observed in December 2024, leading to successful account takeovers.
"Attackers leverage Microsoft Teams API and Amazon Web Services (AWS) servers located in various geographical regions to launch user-enumeration and password-spraying attempts," the enterprise security company said. "Attackers exploited access to specific resources and native applications, such as Microsoft Teams, OneDrive, Outlook, and others."
TeamFiltration, publicly released by researcher Melvin "Flangvik" Langvik in August 2022 at the DEF CON security conference, is described as a cross-platform framework for "enumerating, spraying, exfiltrating, and backdooring" Entra ID accounts.
The tool offers extensive capabilities to facilitate account takeover using password spraying attacks, data exfiltration, and persistent access by uploading malicious files to the target's Microsoft OneDrive account.
While the tool requires an Amazon Web Services (AWS) account and a disposable Microsoft 365 account to facilitate password spraying and account enumeration functions, Proofpoint said it observed evidence of malicious activity leveraging TeamFiltration to conduct these activities such that each password spraying wave originates from a different server in a new geographic location.
At its peak, the campaign targeted 16,500 accounts in a single day in early January 2025. The three primary source geographies linked to malicious activity based on the number of IP addresses include the United States (42%), Ireland (11%), and Great Britain (8%).
When reached for comment, an AWS spokesperson told The Hacker News that customers are required to abide by its terms and that it takes steps to block prohibited content.
"AWS has clear terms that require our customers to use our services in compliance with applicable law," the spokesperson said. "When we receive reports of potential violations of our terms, we act quickly to review and take steps to disable prohibited content. We value collaboration with the security research community and encourage researchers to report suspected abuse to AWS Trust & Safety through our dedicated abuse reporting process."
The UNK_SneakyStrike activity has been described as "large-scale user enumeration and password spraying attempts," with the unauthorized access efforts occurring in "highly concentrated bursts" targeting several users within a single cloud environment. This is followed by a lull that lasts for four to five days.
The findings once again highlight how tools designed to assist cybersecurity professionals can be misused by threat actors to carry out a wide range of nefarious actions that allow them to breach user accounts, harvest sensitive data, and establish persistent footholds.
"UNK_SneakyStrike's targeting strategy suggests they attempt to access all user accounts within smaller cloud tenants while focusing only on a subset of users in larger tenants," Proofpoint said. "This behaviour matches the tool's advanced target acquisition features, designed to filter out less desirable accounts."
