New Cyber Threat: UNK_SneakyStrike Targets Microsoft Entra ID Accounts
On June 12, 2025, cybersecurity researchers announced the detection of a new account takeover (ATO) campaign known as UNK_SneakyStrike, which exploits an open-source framework called TeamFiltration. This campaign has successfully targeted over 80,000 user accounts across numerous organizations’ Microsoft Entra IDs, previously recognized as Azure Active Directory. The surge in malicious login attempts was first observed in December 2024, leading to several successful breaches.
Understanding the Attack Method
According to Proofpoint, the security firm tracking this campaign, attackers utilize the Microsoft Teams API along with Amazon Web Services (AWS) servers dispersed across various geographical locations. This strategic approach allows them to initiate user enumeration and password spraying attempts efficiently. Through these methods, the attackers gain unauthorized access to essential resources and applications like Microsoft Teams, OneDrive, and Outlook.
TeamFiltration: The Tool Behind the Campaign
TeamFiltration is a cross-platform penetration testing tool developed by researcher Melvin "Flangvik" Langvik and was first introduced at the DEF CON security conference in August 2022. Designed for operations such as account enumeration, password spraying, and data exfiltration, the tool enables attackers to compromise Entra ID accounts effectively. It also allows attackers to upload malicious content to a target’s OneDrive account, thereby ensuring persistent access.
While this tool requires both an AWS account and a disposable Microsoft 365 account for its operations, Proofpoint noted that the attackers are cleverly masking their activities by rotating their means of attack. Each wave of password spraying is sourced from different servers in diverse geographic areas, enhancing their chances of bypassing detection.
Frequency and Scale of Attacks
At its peak, UNK_SneakyStrike was able to target 16,500 accounts in a single day in early January 2025. The geographical distribution of the attack revealed that the majority, about 42%, originated from the United States. Other notable sources include Ireland at 11% and Great Britain at 8%. This widespread targeting demonstrates the high level of organization and planning involved in the campaign.
AWS Response to Malicious Use
In response to inquiries regarding the involvement of AWS in these activities, a representative stated that customers are expected to comply with the company’s terms of service, which prohibits the use of its platform for malicious purposes. AWS claims it takes prompt action when alerted to any violations and collaborates with the security research community to address abuse issues effectively.
Patterns of Attack Behavior
The behavior associated with UNK_SneakyStrike includes large-scale user enumeration and password spraying, characterized by highly concentrated attempts followed by periods of inactivity lasting four to five days. This pattern suggests a tactical approach, where attackers aim for maximum efficiency in breaching accounts.
Proofpoint outlined that the attackers seem to target all user accounts within smaller cloud tenants while concentrating efforts on fewer accounts in larger environments. This behavior aligns with the features of TeamFiltration, which is designed to filter out less valuable targets.
Conclusion
The emergence of UNK_SneakyStrike serves as a stark reminder of how cybercriminals can exploit legitimate tools to launch sophisticated attacks on organizations. The findings underline the importance for enterprises to enhance their security measures and remain vigilant against emerging threats that can compromise sensitive data and user accounts.
For those in the cybersecurity field, this situation emphasizes the need for continuous monitoring and proactive defenses against sophisticated attack methodologies that surface with alarming frequency.
