TeamFiltration Weaponized: UNK_SneakyStrike Campaign Targets 80,000+ Microsoft Entra ID Accounts

According to a new report by Proofpoint, attackers are now actively exploiting the TeamFiltration penetration testing framework in an account takeover (ATO) campaign known as UNK_SneakyStrike, targeting Microsoft Entra ID users at a huge scale.

Originally released at DefCon30 in 2021, TeamFiltration was intended to help security professionals simulate ATOs and audit Microsoft 365 environments. However, like many dual-use tools, it has since been weaponized.

TeamFiltration’s capabilities include:

• User enumeration
• Password spraying
• Data exfiltration
• OneDrive-based backdooring

Proofpoint researchers have now confirmed that these features are being abused in the wild.

“Since December 2024 UNK_SneakyStrike activity has affected over 80,000 targeted user accounts across hundreds of organizations,” with multiple confirmed account takeovers, according to Proofpoint’s findings.

The campaign is sophisticated, relying on a blend of Microsoft Teams APIs, AWS cloud infrastructure, and user-agent spoofing to evade detection and scale attacks.

Attackers use a “sacrificial” Office 365 account and rotate AWS regions to distribute password-spraying attempts across different geographies. The goal: bypass detection systems that monitor for high-volume or localized login failures.

Key tactics include:

• Credential validation via Microsoft Teams and OneDrive APIs
• Exploitation of OAuth refresh tokens to maintain access across client apps
• User-agent masquerading, identified through an outdated Teams build string

“Attempted access to a specific sign-in application originating from devices incompatible with that application… indicates user agent spoofing,” Proofpoint reported.

Proofpoint acknowledges the difficulty in distinguishing benign penetration tests from real threats. UNK_SneakyStrike attacks tend to occur in bursts, targeting wide user sets in small tenants and select users in larger ones—behavior inconsistent with ethical assessments.

“Unlike controlled security assessments, malicious activity tends to follow a broader, more indiscriminate targeting pattern,” the report notes.

Their research also revealed that TeamFiltration appears to use outdated or erroneous application ID lists, suggesting threat actors may be adapting poorly maintained open-source code for illicit use.

UNK_SneakyStrike primarily leverages AWS cloud servers, with the United States (42%), Ireland (11%), and Great Britain (8%) cited as the top regions of origin by IP volume. Peaks in activity were observed in December 2024 and January 2025, with follow-on waves continuing through March.

“Unauthorized access attempts attributed to UNK_SneakyStrike tend to occur in highly concentrated bursts,” Proofpoint reported.

Proofpoint warns that the threat landscape is evolving rapidly. As defenders adapt, attackers are adopting more powerful and flexible tools, often blending open-source red-teaming software with malicious automation.

Related Posts:

• Stealthy Persistence: Microsoft Entra ID’s Administrative Units Weaponized
• Phishing for Profits: Attackers Mine Crypto & Spam Through OAuth Apps
• Global “Password Spraying” Campaign Targets VPN Systems, Causing Lockouts
• Citrix Alerts on Global Password Spraying Campaigns Targeting NetScaler Appliances
• Detecting Lateral Movement Risks in Microsoft Entra ID’s Cross-Tenant Synchronization Feature