A significant cyberattack campaign, attributed to the threat actor UNK_SneakyStrike, has been targeting over 80,000 Microsoft Entra ID accounts globally since December 2024.

Researchers from Proofpoint have identified that this ongoing campaign utilizes the TeamFiltration pentesting framework to conduct brute-force attacks on these accounts.

Since the campaign's inception, it has resulted in numerous successful account takeovers across hundreds of organizations.

The peak of this malicious activity occurred on January 8, 2025, when 16,500 accounts were targeted in a single day, followed by periods of inactivity.

The attack patterns reveal concentrated bursts of unauthorized access attempts, particularly against smaller cloud tenants and specific user subsets within larger organizations.

TeamFiltration, a legitimate pentesting tool released in 2022, has been misused by attackers to identify valid user accounts and perform password spraying attacks.

Attackers create legitimate Microsoft 365 accounts to leverage APIs and gain access to sensitive information once an account is compromised.

The attackers have utilized AWS servers from various regions, with a notable 42% of attacks originating from IP addresses in the United States.

To mitigate these risks, organizations are advised to implement strong, unique passwords, enable multi-factor authentication, and monitor login attempts.

Regularly reviewing login logs and disabling unused accounts are also recommended to enhance security against potential account takeovers.

Additional recommendations include blocking IPs listed in Proofpoint's indicators of compromise and creating detection rules for the TeamFiltration user agent string.

The threat actor's strategy includes targeting all users in smaller organizations while selectively focusing on subsets of users in larger organizations.