A sophisticated hacking campaign has targeted over 80,000 Microsoft Entra ID accounts across hundreds of organizations worldwide, according to cybersecurity firm Proofpoint.
The attacks have been attributed to a threat actor dubbed UNK_SneakyStrike, who has been leveraging the TeamFiltration pentesting tool since December 2024 to hijack corporate accounts.
TeamFiltration, an open-source red-team framework developed by TrustedSec researcher Melvin Langvik in 2022, is designed to enumerate, spray, and exfiltrate Office 365 and Entra ID credentials. In this campaign, it played a central role in enabling large-scale intrusion attempts, with a peak attack volume recorded on January 8, when over 16,500 accounts were targeted in a single day.
“UNK_SneakyStrike activity has affected over 80,000 targeted user accounts, resulting in several cases of successful account takeover,” Proofpoint reported.
The attackers used AWS infrastructure to launch the attacks and exploited a ‘sacrificial’ Office 365 account to abuse the Microsoft Teams API for user enumeration. Attack traffic was largely traced back to IPs in the US (42%), Ireland (11%), and the UK (8%).
Proofpoint advises organizations to:
- Block IPs listed in its indicators of compromise (IOCs)
- Detect the TeamFiltration user agent string
- Enforce multi-factor authentication (MFA) and OAuth 2.0
- Apply conditional access policies in Microsoft Entra ID
As account takeovers remain a growing threat, proactive monitoring and layered security controls are critical for defending enterprise environments.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
