Attackers Unleash TeamFiltration Account Takeover Campaign (UNK_SneakyStrike) Leverages Popular Pentesting Tool
Key Takeaways
Proofpoint threat researchers have recently uncovered an active account takeover (ATO) campaign, tracked as UNK_SneakyStrike, using the TeamFiltration pentesting framework to target Entra ID user accounts.
Using a combination of unique characteristics, Proofpoint researchers were able to detect and track unauthorized activity attributed to TeamFiltration.
According to Proofpoint findings, since December 2024 UNK_SneakyStrike activity has affected over 80,000 targeted user accounts across hundreds of organizations, resulting in several cases of successful account takeover.
Attackers leverage Microsoft Teams API and Amazon Web Services (AWS) servers located in various geographical regions to launch user enumeration and password-spraying attempts.
Attackers exploited access to specific resources and native applications, such as Microsoft Teams, OneDrive, Outlook, and others.