<div id="post_message_797058">

Hackers have been using the TeamFiltration pentesting framework to target more than 80,000 Microsoft Entra ID accounts at hundreds of organizations worldwide.<br/>
<br/>
The campaign started last December and has successfully hijacked multiple accounts, say researchers at cybersecurity company Proofpoint, who attribute the activity to a threat actor called UNK_SneakyStrike.<br/>
<br/>
According to the researchers, the peak of the campaign happened on January 8, when it targeted 16,500 accounts in a single day. Such sharp bursts were followed by several days of inactivity.<br/>
<br/>
<img alt="" border="0" class="bbCodeImage" src="https://www.bleepstatic.com/images/news/u/1220909/2025/June/activity.jpg"/><br/>
<div style="margin:20px; margin-top:5px; ">
<!-- <div class="smallfont" style="margin-bottom:2px">Quote:</div> -->
<table border="0" cellpadding="6" cellspacing="0" width="100%">
<tr>
<td class="alt2" style="background: rgb(37, 37, 37) none repeat scroll 0% 0%; border: 1px solid rgb(0, 0, 0); border-radius: 5px; font-size: 11px; text-shadow: none;">

Volume of attacks launched by UNK_SneakyStrike

</td>
</tr>
</table>
</div><a href="https://github.com/Flangvik/TeamFiltration/" target="_blank">TeamFiltration</a> is a cross-platform framework for enumerating, spraying, exfiltrating, and backdooring O365 EntraID accounts. It was published in 2022 by TrustedSec red-team researcher Melvin Langvik.<br/>
<br/>
In the UNK_SneakyStrike campaign that Proofpoint observed, TeamFiltration plays a central role in facilitating large-scale intrusion attempts.<br/>
<br/>
The researchers report that the threat actor targets all users in small tenants, while in the case of larger one UNK_SneakyStrike selects only users from a subset.<br/>
<br/>
"Since December 2024, UNK_SneakyStrike activity has affected over 80,000 targeted user accounts across hundreds of organizations, resulting in several cases of successful account takeover," <a href="https://www.proofpoint.com/us/blog/threat-insight/attackers-unleash-teamfiltration-account-takeover-campaign" target="_blank">Proofpoint explains</a>.<br/>
<br/>
The researchers linked the malicious activity to TeamFiltration after identifying a rare user agent the tool uses, as well as matching OAuth client IDs hardcoded in the tool's logic.<br/>
<br/>
Other telltale signs include access patterns to incompatible applications and the presence of an outdated snapshot of Secureworks' FOCI project embedded in TeamFiltration code.<br/>
<br/>
The attackers used AWS servers across multiple regions to launch the attacks, and used a 'sacrificial' Office 365 account with a Business Basic license to abuse Microsoft Teams API for account enumeration.<br/>
<br/>
<img alt="" border="0" class="bbCodeImage" src="https://www.bleepstatic.com/images/news/u/1220909/2025/June/overview.jpg"/><br/>
<div style="margin:20px; margin-top:5px; ">
<!-- <div class="smallfont" style="margin-bottom:2px">Quote:</div> -->
<table border="0" cellpadding="6" cellspacing="0" width="100%">
<tr>
<td class="alt2" style="background: rgb(37, 37, 37) none repeat scroll 0% 0%; border: 1px solid rgb(0, 0, 0); border-radius: 5px; font-size: 11px; text-shadow: none;">

Volume of attacks launched by UNK_SneakyStrike

</td>
</tr>
</table>
</div>Most of the attacks originate from IP addresses located in the United States (42%), followed by Ireland (11%) and the UK (8%).<br/>
<br/>
Organizations should block all IPs listed in Proofpoint's indicators of compromise section, and create detection rules for the TeamFiltration user agent string.<br/>
<br/>
Apart from that, it is recommended to enable multi-factor authentication for all users, enforce OAuth 2.0, and use conditional access policies in Microsoft Entra ID.<br/>
<br/>
<a href="https://www.bleepingcomputer.com/news/security/password-spraying-attacks-target-80-000-microsoft-entra-id-accounts/" target="_blank">@ BleepingComputer </a>
</div>