Cybersecurity researchers have uncovered a brand new account takeover (ATO) marketing campaign that leverages an open-source penetration testing framework known as TeamFiltration to breach Microsoft Entra ID (previously Azure Lively Listing) person accounts.
The exercise, codenamed UNK_SneakyStrike by Proofpoint, has focused over 80,000 person accounts throughout lots of of organizations’ cloud tenants since a surge in login makes an attempt was noticed in December 2024, resulting in profitable account takeovers.
“Attackers leverage Microsoft Groups API and Amazon Net Companies (AWS) servers situated in numerous geographical areas to launch user-enumeration and password-spraying makes an attempt,” the enterprise safety firm stated. “Attackers exploited entry to particular sources and native purposes, comparable to Microsoft Groups, OneDrive, Outlook, and others.”
TeamFiltration, publicly launched by researcher Melvin “Flangvik” Langvik in August 2022 on the DEF CON safety convention, is described as a cross-platform framework for “enumerating, spraying, exfiltrating, and backdooring” Entra ID accounts.
The device gives in depth capabilities to facilitate account takeover utilizing password spraying assaults, information exfiltration, and protracted entry by importing malicious information to the goal’s Microsoft OneDrive account.
Whereas the device requires an Amazon Net Companies (AWS) account and a disposable Microsoft 365 account to facilitate password spraying and account enumeration features, Proofpoint stated it noticed proof of malicious exercise leveraging TeamFiltration to conduct these actions such that every password spraying wave originates from a special server in a brand new geographic location.
At its peak, the marketing campaign focused 16,500 accounts in a single day in early January 2025. The three major supply geographies linked to malicious exercise based mostly on the variety of IP addresses embody the USA (42%), Eire (11%), and Nice Britain (8%).
When reached for remark, an AWS spokesperson instructed The Hacker Information that clients are required to abide by its phrases and that it takes steps to dam prohibited content material.
“AWS has clear phrases that require our clients to make use of our companies in compliance with relevant regulation,” the spokesperson stated. “After we obtain stories of potential violations of our phrases, we act rapidly to evaluation and take steps to disable prohibited content material. We worth collaboration with the safety analysis neighborhood and encourage researchers to report suspected abuse to AWS Belief & Security via our devoted abuse reporting course of.”
The UNK_SneakyStrike exercise has been described as “large-scale person enumeration and password spraying makes an attempt,” with the unauthorized entry efforts occurring in “extremely concentrated bursts” focusing on a number of customers inside a single cloud atmosphere. That is adopted by a lull that lasts for 4 to 5 days.
The findings as soon as once more spotlight how instruments designed to help cybersecurity professionals might be misused by risk actors to hold out a variety of nefarious actions that enable them to breach person accounts, harvest delicate information, and set up persistent footholds.
“UNK_SneakyStrike’s focusing on technique suggests they try to entry all person accounts inside smaller cloud tenants whereas focusing solely on a subset of customers in bigger tenants,” Proofpoint stated. “This behaviour matches the device’s superior goal acquisition options, designed to filter out much less fascinating accounts.”
