UNK_SneakyStrike’s Entra ID Exploitation via TeamFiltration

TeamFiltration, a red team tool designed for penetration testing in Microsoft Entra ID (formerly Azure AD) environments, has been weaponized by threat actors in a malicious campaign tracked as UNK_SneakyStrike. Originally published on GitHub and introduced at DefCon30, the tool is now being used for real-world account takeover (ATO) attempts targeting cloud identities. Discovered by Proofpoint in June 2025, this campaign has impacted tens of thousands of accounts across organizations worldwide.

Severity Level: High

Threat Overview

1. Start of Activity: December 2024
2. Campaign Scale: ~80,000 accounts across ~100 cloud tenants have been targeted
3. Malicious Behavior:
   • Use of outdated user agent [”Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Teams/1.3.00.30866 Chrome/80.0.3987.165 Electron/8.5.1 Safari/537.36”] for spoofing
   • Leveraging Microsoft OAuth clients to obtain refresh tokens for access

Attack Flow

1. Preparation

• Attacker sets up an AWS environment across multiple regions
• A “sacrificial” Microsoft 365 account is prepared with a Business Basic license

2. Enumeration Phase

• Use of Teams API and OneDrive methods to identify valid users
• Leverages application IDs tied to Microsoft OAuth to detect active sessions

3. Credential Attack Phase

• Password spraying attempts launched via rotating AWS regions
• Campaign evades IP-based rate limits and geolocation blocks

4. Account Takeover (ATO)

• Upon successful login, data is exfiltrated (emails, OneDrive files, etc.)
• Malware or backdoors potentially uploaded to victim’s OneDrive

5. Persistence & Lateral Movement

• Replacing files with malicious lookalikes (e.g., macro-enabled documents)
• Attempting to escalate within the cloud tenant environment

Recommendations

1. Enforce MFA across all Microsoft Entra ID accounts.

2. Disable legacy authentication protocols (e.g., IMAP, POP3, SMTP) which are often used in ATO attacks.

3. Implement conditional access policies to restrict logins from untrusted IPs, device types, or geolocations.

4. Monitor and restrict OAuth application grants and regularly audit third-party access.

5. Train employees to recognize account compromise symptoms (unexpected OneDrive file changes, login alerts).

6. Inform users about MFA fatigue attacks, and why they must reject unknown login prompts.

7. The IOC IPs originate from shared AWS infrastructure, which is also used for legitimate services.

8. Implement contextual behavioral detection and risk-based alerting for activity originating from IOC-listed IP addresses instead of outright blocking. IOCs:

• https://www.virustotal.com/gui/collection/326a48e12315e80ef35de053148791c700e361962b154dbb1e16a8f1c4d74b6d/iocs

9. Tag IOC IPs as “High-Risk Cloud Sources” in your SIEM or threat intelligence platform. Correlate traffic from these IPs with user behavior analytics:

• Alert when multiple failed login attempts or unusual login geolocation patterns match the IOC IPs.
• Flag scenarios like logins from IOC IPs followed by OneDrive uploads or Teams API queries.

10. Monitor for abuse of Microsoft OAuth client IDs, especially those used by TeamFiltration, and alert on atypical refresh token activity.

Source:

• https://www.proofpoint.com/us/blog/threat-insight/attackers-unleash-teamfiltration-account-takeover-campaign

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.