Attackers are strategically concentrating on all user accounts within smaller cloud tenants while targeting fewer users in larger tenants, leveraging TeamFiltration's advanced targeting capabilities.

A large-scale account takeover campaign is currently underway, utilizing the TeamFiltration penetration testing framework to target Entra ID users.

TeamFiltration, which was released in 2022, automates various tactics, techniques, and procedures for account takeover attacks, including account enumeration and password spraying.

This campaign began in December 2024, with attackers focusing on user accounts across approximately 100 cloud tenants, reaching its peak in January 2025.

The operation, tracked as UNK_SneakyStrike, employs a combination of Microsoft Teams API and AWS servers to conduct password spraying attacks.

Investigations have revealed a connection between the attacks and application IDs that are pre-configured in TeamFiltration, allowing the use of special tokens to access Entra ID accounts.

Most of the attack attempts have been traced back to AWS infrastructure located in the United States (42%), Ireland (11%), and the United Kingdom (8%).

Proofpoint highlights the dual nature of TeamFiltration, noting that while it serves as a tool for cybersecurity practitioners, it can also be exploited by threat actors for malicious activities.

A distinctive user agent linked to an outdated version of Microsoft Teams was identified, along with attempts to access a specific sign-in application from incompatible devices.

Attack patterns typically consist of concentrated bursts targeting a wide range of users within a single cloud environment, followed by quiet periods lasting four to five days.