Hackers utilizing the TeamFiltration framework have targeted over 80,000 Microsoft Entra ID accounts across hundreds of organizations globally in a campaign linked to UNK_SneakyStrike. The attack involved large-scale account takeovers using AWS servers, OAuth abuse, and targeted small and large tenants. #TeamFiltration #UNK_SneakyStrike #MicrosoftEntraID #OAuth #AccountTakeover
Keypoints
- The UNK_SneakyStrike threat actor used the TeamFiltration framework to compromise Microsoft Entra ID accounts.
- The campaign began in December 2024, peaking on January 8 with 16,500 accounts targeted in a single day.
- The attackers used AWS servers and a βsacrificialβ Office 365 account to facilitate their intrusions.
- Indicators of compromise include a unique user agent, specific OAuth client IDs, and access patterns to incompatible apps.
- Organizations are advised to block IPs, enable multi-factor authentication, and implement conditional access policies.