Attacks exploiting the TeamFiltration penetration testing framework have been launched by the threat actor UNK_SneakyStrike to target over 80,000 Microsoft Entra ID accounts across hundreds of organizations worldwide, some of which were successfully taken over, as part of a campaign that commenced in December, BleepingComputer reports.
UNK_SneakyStrike, whose attack campaign peaked in early January with 16,500 accounts targeted in a single day, leveraged AWS servers around the world to deploy the intrusions while using an Office 365 account to facilitate Microsoft Teams API exploitation for account enumeration, an analysis from Proofpoint revealed. Most of the malicious activity arose from IP addresses in the U.S., Ireland, and the UK. Such activity has been associated with TeamFiltration following the discovery of the tool's rare user agent and OAuth client IDs. Organizations have been urged to defend themselves against potential compromise by blocking erring IP addresses, activating OAuth 2.0 and multi-factor authentication, and implementing Entra ID conditional access policies.
UNK_SneakyStrike, whose attack campaign peaked in early January with 16,500 accounts targeted in a single day, leveraged AWS servers around the world to deploy the intrusions while using an Office 365 account to facilitate Microsoft Teams API exploitation for account enumeration, an analysis from Proofpoint revealed. Most of the malicious activity arose from IP addresses in the U.S., Ireland, and the UK. Such activity has been associated with TeamFiltration following the discovery of the tool's rare user agent and OAuth client IDs. Organizations have been urged to defend themselves against potential compromise by blocking erring IP addresses, activating OAuth 2.0 and multi-factor authentication, and implementing Entra ID conditional access policies.
