Cybersecurity researchers have uncovered a new account takeover campaign named UNK_SneakyStrike, which specifically targets Microsoft Entra ID accounts using an open-source tool called TeamFiltration.

Since its inception in late 2024, this campaign has impacted over 80,000 user accounts across various organizations, leading to confirmed credential compromises and unauthorized access.

The campaign employs a sophisticated targeting strategy, focusing on accessing all user accounts in smaller cloud tenants while selectively attacking users in larger tenants.

The TeamFiltration tool enables attackers to exploit applications like Microsoft Teams, OneDrive, and Outlook, utilizing features such as account enumeration via the Teams API and password spraying across multiple AWS regions.

Proofpoint has documented that the malicious activities associated with TeamFiltration often originate from various geographic locations, primarily the United States, Ireland, and Great Britain.

The campaign also targets specific Microsoft OAuth client applications to obtain refresh tokens for unauthorized access, employing IP rotation through AWS servers to evade detection.

Organizations are advised to monitor for unusual sign-ins, audit OAuth applications, implement multi-factor authentication (MFA), and stay informed about emerging tactics, techniques, and procedures (TTPs) in cyber threats.

UNK_SneakyStrike is marked by bursts of unauthorized access attempts targeting multiple users within a single cloud environment, followed by quiet periods of four to five days.

To execute its operations, attackers require an AWS account and a disposable Microsoft 365 account for conducting password spraying and account enumeration.

Malicious activities supported by TeamFiltration include password spraying, data exfiltration, and maintaining persistent access by uploading malicious files to OneDrive.

Attackers can replace legitimate documents in a victim's OneDrive with lookalike files that may contain malware or macros, further compromising systems.

TeamFiltration, originally released as a penetration testing framework by researcher Melvin 'Flangvik' Langvik in August 2022, is now being weaponized by attackers to exploit vulnerabilities in account takeover attacks.