Hackers have been using the TeamFiltration pentesting framework to target more than 80,000 Microsoft Entra ID accounts at hundreds of organizations worldwide.
The campaign started last December and has successfully hijacked multiple accounts, say researchers at cybersecurity company Proofpoint, who attribute the activity to a threat actor called UNK_SneakyStrike.
According to the researchers, the peak of the campaign happened on January 8, when it targeted 16,500 accounts in a single day. Such sharp bursts were followed by several days of inactivity.
Source: Proofpoint
TeamFiltration is a cross-platform framework for enumerating, spraying, exfiltrating, and backdooring O365 EntraID accounts. It was published in 2022 by TrustedSec red-team researcher Melvin Langvik.
In the UNK_SneakyStrike campaign that Proofpoint observed, TeamFiltration plays a central role in facilitating large-scale intrusion attempts.
The researchers report that the threat actor targets all users in small tenants, while in the case of larger one UNK_SneakyStrike selects only users from a subset.
“Since December 2024, UNK_SneakyStrike activity has affected over 80,000 targeted user accounts across hundreds of organizations, resulting in several cases of successful account takeover,” Proofpoint explains.
The researchers linked the malicious activity to TeamFiltration after identifying a rare user agent the tool uses, as well as matching OAuth client IDs hardcoded in the tool’s logic.
Other telltale signs include access patterns to incompatible applications and the presence of an outdated snapshot of Secureworks’ FOCI project embedded in TeamFiltration code.
The attackers used AWS servers across multiple regions to launch the attacks, and used a ‘sacrificial’ Office 365 account with a Business Basic license to abuse Microsoft Teams API for account enumeration.
Source: Proofpoint
Most of the attacks originate from IP addresses located in the United States (42%), followed by Ireland (11%) and the UK (8%).
Organizations should block all IPs listed in Proofpoint’s indicators of compromise section, and create detection rules for the TeamFiltration user agent string.
Apart from that, it is recommended to enable multi-factor authentication for all users, enforce OAuth 2.0, and use conditional access policies in Microsoft Entra ID.
Patching used to mean complex scripts, long hours, and endless fire drills. Not anymore.
In this new guide, Tines breaks down how modern IT orgs are leveling up with automation. Patch faster, reduce overhead, and focus on strategic work — no complex scripts required.
Source link
-
-
-
-
-
-
-
-
