A sophisticated cyber campaign has targeted over 80,000 Microsoft Entra ID accounts across hundreds of organizations globally. Orchestrated by a threat actor dubbed UNK_SneakyStrike, the attacks leveraged an advanced pentesting tool called TeamFiltration and exhibited alarming levels of precision, scale, and stealth. Cybersecurity firm Proofpoint has issued a stark warning for enterprises using Microsoft cloud infrastructure.
FCRF x CERT-In Roll Out National Cyber Crisis Management Course to Prepare India’s Digital Defenders
Anatomy of an Attack: Inside the UNK_SneakyStrike Campaign
Beginning in December 2024, A series of orchestrated password-spraying attacks were observed, a brute-force tactic where attackers attempt a small number of commonly used passwords across many accounts. The campaign peaked on January 8, 2025, with 16,500 login attempts in a single day, followed by periods of inactivity, suggesting a deliberate, timed strategy rather than random exploitation.
The campaign was enabled by TeamFiltration, a cross-platform framework developed in 2022 for red-teaming Office 365 (now Entra ID) environments. Though originally released by security researcher Melvin Langvik for ethical testing purposes, the tool has since been repurposed by cybercriminals for malicious ends.
The attackers primarily targeted small tenants in bulk, while selectively probing users in large enterprises. This strategy allowed them to remain under the radar while increasing the odds of successful account takeover.
Algoritha: The Most Trusted Name in BFSI Investigations and DFIR Services
Digital Forensics: Fingerprints in the Code
What helped Proofpoint attribute the attacks to TeamFiltration and the actor UNK_SneakyStrike were multiple unique signatures. Among these were a rare user-agent string, hardcoded OAuth client IDs, and the use of an outdated Secureworks FOCI project snapshot embedded in the tool’s backend. These forensic traces narrowed down the origin of the tool and its misuse.
Moreover, the attackers leveraged AWS infrastructure across various global regions and used a “sacrificial” Office 365 Business Basic account to exploit the Microsoft Teams API. This allowed them to perform silent account enumeration, identifying valid user accounts without detection. Most attack traffic was traced back to the United States (42%), followed by Ireland (11%) and the United Kingdom (8%), further complicating attribution and response efforts.
Enterprise Risk and Response: Steps to Secure Entra ID
Proofpoint’s advisory urges all affected and at-risk organizations to act swiftly. Recommended steps include:
- Blocking all IPs listed in the indicators of compromise (IOCs)
- Setting detection rules for TeamFiltration-specific user agents
- Enforcing multi-factor authentication (MFA) across all user tiers
- Mandating OAuth 2.0 security compliance
- Deploying conditional access policies in Microsoft Entra ID environments
While Microsoft has yet to release a dedicated security bulletin for the campaign, internal sources confirm that several enterprise accounts have indeed suffered unauthorized access, a critical concern as many organizations depend on Entra ID for identity verification, email, document collaboration, and remote access.
The incident also renews scrutiny over the public availability of red-teaming tools, which, while vital for defence simulation, continue to pose risks when co-opted by threat actors.
About the author – Prakriti Jha is a student at National Forensic Sciences University, Gandhinagar, currently pursuing B.Sc. LL.B (Hons.) with a keen interest in the intersection of law and data science. She is passionate about exploring how legal frameworks adapt to the evolving challenges of technology and justice.