A sophisticated hacking campaign has targeted over 80,000 Microsoft Entra ID accounts across hundreds of organizations worldwide, according to cybersecurity firm Proofpoint.
The attacks have been attributed to a threat actor dubbed UNK_SneakyStrike, who has been leveraging the TeamFiltration pentesting tool since December 2024 to hijack corporate accounts.
TeamFiltration, an open-source red-team framework developed by TrustedSec researcher Melvin Langvik in 2022, is designed to enumerate, spray, and exfiltrate Office 365 and Entra ID credentials. In this campaign, it played a central role in enabling large-scale intrusion attempts, with a peak attack volume recorded on January 8, when over 16,500 accounts were targeted in a single day.
“UNK_SneakyStrike activity has affected over 80,000 targeted user accounts, resulting in several cases of successful account takeover,” Proofpoint reported.
The attackers used AWS infrastructure to launch the attacks and exploited a ‘sacrificial’ Office 365 account to abuse the Microsoft Teams API for user enumeration. Attack traffic was largely traced back to IPs in the US (42%), Ireland (11%), and the UK (8%).
Proofpoint advises organizations to:
- Block IPs listed in its indicators of compromise (IOCs)
- Detect the TeamFiltration user agent string
- Enforce multi-factor authentication (MFA) and OAuth 2.0
- Apply conditional access policies in Microsoft Entra ID
As account takeovers remain a growing threat, proactive monitoring and layered security controls are critical for defending enterprise environments.
