Proofpoint researchers uncovered the UNKSneakyStrike campaign using the TeamFiltration framework to target Microsoft Entra ID accounts through large-scale user enumeration and password spraying. The campaign, active since December 2024, leverages AWS infrastructure and exploits native Microsoft applications for account takeover and data exfiltration. #UNKSneakyStrike #TeamFiltration #MicrosoftEntraID
Keypoints
- Proofpoint detected an active account takeover campaign named UNK_SneakyStrike targeting over 80,000 Microsoft Entra ID user accounts since December 2024.
- The attackers use the TeamFiltration pentesting framework, which automates tactics like user enumeration, password spraying, data exfiltration, and backdooring via OneDrive.
- TeamFiltration requires AWS accounts to launch attacks and rotates across AWS Regions to evade detection.
- Researchers identified a unique user agent related to an outdated Microsoft Teams client as an indicator of TeamFiltration activity.
- The campaign targets native Microsoft OAuth client applications to obtain family refresh tokens for persistent access.
- UNK_SneakyStrike’s activity displays patterns of highly concentrated bursts of attacks followed by quiet periods lasting several days.
- The most frequent source IPs originate from the United States, Ireland, and Great Britain.
MITRE Techniques
- [T1078] Valid Accounts – The attackers perform user enumeration and password spraying to identify and compromise valid Entra ID user credentials (‘…user enumeration and password spraying attempts…’).
- [T1539] Steal Web Session Cookie – Attackers exploit native OAuth client applications to obtain family refresh tokens, which can be exchanged for bearer tokens for access exploitation (‘…obtain special “family refresh tokens” from Entra ID…’).
- [T1110] Brute Force – Usage of password spraying across multiple AWS regions to compromise user accounts (‘…password spraying function supporting rotation across different AWS Regions…’).
- [T1560] Data from Local System – TeamFiltration exfiltrates emails, files, and data from compromised accounts (‘…extracts information such as emails, files, and other valuable data…’).
- [T1090] Proxy – The tool uses AWS servers in various geographic locations to obfuscate the true source of the access attempts (‘…launch user-enumeration and password-spraying attempts using AWS servers located in various geographical regions…’).
Indicators of Compromise
- [User Agent] Default user agent linked to TeamFiltration activity – Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Teams/1.3.00.30866 Chrome/80.0.3987.165 Electron/8.5.1 Safari/537.36
- [IP Addresses] Source IPs associated with UNK_SneakyStrike activity – 44.220.31[.]157, 44.206.7[.]122, 3.255.18[.]223, and 7 more IP addresses observed between December 2024 and March 2025