TeamFiltration Weaponized: UNK_SneakyStrike Campaign Targets 80,000+ Microsoft Entra ID Accounts
Ddos 
According to a new report by Proofpoint, attackers are now actively exploiting the TeamFiltration penetration testing framework in an account takeover (ATO) campaign known as UNK_SneakyStrike, targeting Microsoft Entra ID users at a huge scale.
Originally released at DefCon30 in 2021, TeamFiltration was intended to help security professionals simulate ATOs and audit Microsoft 365 environments. However, like many dual-use tools, it has since been weaponized.
TeamFiltrationβs capabilities include:
- User enumeration
- Password spraying
- Data exfiltration
- OneDrive-based backdooring
Proofpoint researchers have now confirmed that these features are being abused in the wild.
βSince December 2024 UNK_SneakyStrike activity has affected over 80,000 targeted user accounts across hundreds of organizations,β with multiple confirmed account takeovers, according to Proofpointβs findings.
The campaign is sophisticated, relying on a blend of Microsoft Teams APIs, AWS cloud infrastructure, and user-agent spoofing to evade detection and scale attacks.
Attackers use a “sacrificial” Office 365 account and rotate AWS regions to distribute password-spraying attempts across different geographies. The goal: bypass detection systems that monitor for high-volume or localized login failures.
Key tactics include:
- Credential validation via Microsoft Teams and OneDrive APIs
- Exploitation of OAuth refresh tokens to maintain access across client apps
- User-agent masquerading, identified through an outdated Teams build string
βAttempted access to a specific sign-in application originating from devices incompatible with that applicationβ¦ indicates user agent spoofing,β Proofpoint reported.
Proofpoint acknowledges the difficulty in distinguishing benign penetration tests from real threats. UNK_SneakyStrike attacks tend to occur in bursts, targeting wide user sets in small tenants and select users in larger onesβbehavior inconsistent with ethical assessments.
βUnlike controlled security assessments, malicious activity tends to follow a broader, more indiscriminate targeting pattern,β the report notes.
Their research also revealed that TeamFiltration appears to use outdated or erroneous application ID lists, suggesting threat actors may be adapting poorly maintained open-source code for illicit use.
UNK_SneakyStrike primarily leverages AWS cloud servers, with the United States (42%), Ireland (11%), and Great Britain (8%) cited as the top regions of origin by IP volume. Peaks in activity were observed in December 2024 and January 2025, with follow-on waves continuing through March.
βUnauthorized access attempts attributed to UNK_SneakyStrike tend to occur in highly concentrated bursts,β Proofpoint reported.
Proofpoint warns that the threat landscape is evolving rapidly. As defenders adapt, attackers are adopting more powerful and flexible tools, often blending open-source red-teaming software with malicious automation.
Related Posts:
- Stealthy Persistence: Microsoft Entra ID’s Administrative Units Weaponized
- Phishing for Profits: Attackers Mine Crypto & Spam Through OAuth Apps
- Global “Password Spraying” Campaign Targets VPN Systems, Causing Lockouts
- Citrix Alerts on Global Password Spraying Campaigns Targeting NetScaler Appliances
- Detecting Lateral Movement Risks in Microsoft Entra IDβs Cross-Tenant Synchronization Feature
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
