Cybersecurity researchers have uncovered a brand new account takeover (ATO) marketing campaign that leverages an open-source penetration testing framework known as TeamFiltration to breach Microsoft Entra ID (previously Azure Energetic Listing) consumer accounts.
The exercise, codenamed UNK_SneakyStrike by Proofpoint, has focused over 80,000 consumer accounts throughout a whole bunch of organizations’ cloud tenants since a surge in login makes an attempt was noticed in December 2024, resulting in profitable account takeovers.
“Attackers leverage Microsoft Groups API and Amazon Internet Providers (AWS) servers positioned in varied geographical areas to launch user-enumeration and password-spraying makes an attempt,” the enterprise safety firm stated. “Attackers exploited entry to particular assets and native functions, akin to Microsoft Groups, OneDrive, Outlook, and others.”
TeamFiltration, publicly launched by researcher Melvin “Flangvik” Langvik, in August 2022 on the DEF CON safety convention, is described as a cross-platform framework for “enumerating, spraying, exfiltrating, and backdooring” Entra ID accounts.
The instrument affords in depth capabilities to facilitate account takeover utilizing password spraying assaults, knowledge exfiltration, and chronic entry by importing malicious recordsdata to the goal’s Microsoft OneDrive account.
Whereas the instrument requires an Amazon Internet Providers (AWS) account and a disposable Microsoft 365 account to facilitate password spraying and account enumeration capabilities, Proofpoint stated it noticed proof of malicious exercise leveraging TeamFiltration to conduct these actions such that every password spraying wave originates from a special server in a brand new geographic location.
The three major supply geographies linked to malicious exercise primarily based on the variety of IP addresses embody the US (42%), Eire (11%), and Nice Britain (8%).
The UNK_SneakyStrike exercise has been described as “large-scale consumer enumeration and password spraying makes an attempt,” with the unauthorized entry efforts occurring in “extremely concentrated bursts” concentrating on a number of customers inside a single cloud setting. That is adopted by a lull that lasts for 4 to 5 days.
The findings as soon as once more spotlight how instruments designed to help cybersecurity professionals will be misused by risk actors to hold out a variety of nefarious actions that enable them to breach consumer accounts, harvest delicate knowledge, and set up persistent footholds.
“UNK_SneakyStrike’s concentrating on technique suggests they try to entry all consumer accounts inside smaller cloud tenants whereas focusing solely on a subset of customers in bigger tenants,” Proofpoint stated. “This behaviour matches the instrument’s superior goal acquisition options, designed to filter out much less fascinating accounts.”
