Cybersecurity researchers have discovered a new account Takeover (ATO) campaign that leverages an open source penetration testing framework called TeamFiltration that violates Microsoft Entra ID (formerly Azure Active Directory) user accounts.
Activities, codenames unk_sneakystrike According to Proofpoint, since a surge in login attempts was observed in December 2024, it has targeted more than 80,000 user accounts across hundreds of organizations’ cloud tenants, and has successfully acquired the account.
“Attackers will launch attempts to leverage Microsoft Teams APIs and Amazon Web Services (AWS) servers in various geographical regions to spray user approvals and passwords,” Enterprise Security Company said. “The attackers used access to certain resources and native applications, such as Microsoft Teams, OneDrive, and Outlook.”
TeamFiltration, published by researcher Melvin “Flangvik” Langvik at the Def Con Security Conference in August 2022, is described as a cross-platform framework for enumeration, spraying, removal and backdooring Entra ID accounts.
This tool offers a wide range of features to promote account takeover using password spray attacks, data removal, and permanent access by uploading malicious files to the target Microsoft OneDrive account.
The tool requires an Amazon Web Services (AWS) account and a disposable Microsoft 365 account to promote password spray and account enumeration capabilities, but ProofPoint said it has leveraged these activities to observe evidence of malicious activity to leverage these activities so that each password spray wave comes from another server in a new geographical location.
At its peak, the campaign targeted 16,500 accounts in a day in early January 2025. Three main source geography related to malicious activity based on the number of IP addresses include the US (42%), Ireland (11%), and the UK (8%).
When reaching for the comment, an AWS spokesman told HackerNews that customers must comply with the terms and take steps to block banned content.
“AWS has clear terms that require you to use our Services in compliance with applicable law,” the spokesman said. “When we receive a report of a potential violation of the terms, we will act promptly and take steps to disable prohibited content. We value collaboration with the security research community and encourage researchers to report suspicious abuse in AWS trust and safety through a dedicated abuse reporting process.”
UNK_SNeakyStrike activity is known as “large user enumeration and password spray attempts,” and has led to unauthorized access efforts targeting multiple users within a single cloud environment with “high bursts” targeting multiple users. This is followed by a lull that lasts for 4-5 days.
The findings once again highlight how tools designed to assist cybersecurity experts can be misused by threat actions.
“UNK_SNeakyStrike’s targeting strategy suggests that we try to access all user accounts within a small cloud tenant, focusing only on a subset of users in the larger tenant,” ProofPoint said. “This behavior matches the advanced targeting capabilities of tools designed to exclude unwanted accounts.”
