Cybersecurity researchers have identified a new account takeover campaign called UNK_SneakyStrike, which uses the open-source TeamFiltration framework to compromise Microsoft Entra ID user accounts. Over 80,000 accounts across various organizations have been affected through large-scale password spraying and account enumeration activities originating from multiple geographical locations. #TeamFiltration #AzureActiveDirectory #PasswordSpraying
Keypoints
- The campaign UNK_SneakyStrike leverages the open-source tool TeamFiltration to conduct account takeovers.
- Attackers use Microsoft Teams API and AWS servers in different regions to carry out their operations.
- Over 80,000 user accounts across numerous organizations have been targeted since December 2024.
- The malicious activity involves password spraying, user enumeration, and data exfiltration from platforms like OneDrive and Outlook.
- The campaign’s infrastructure is primarily traced to IP addresses from the United States, Ireland, and Great Britain.
Read More: https://thehackernews.com/2025/06/over-80000-microsoft-entra-id-accounts.html