Connect with us

Business

Major Account Takeover Campaign Targets Microsoft Entra ID Users Worldwide

Published

23 hours ago

on

Microsoft Entra Id Cyberattack Campaign

REDWOOD CITY, Calif. — A new account takeover campaign, internally labeled UNK_SneakyStrike, is targeting Microsoft Entra ID user accounts globally, according to Proofpoint Threat Intelligence.

This malicious campaign began in late 2024 and has already affected over 80,000 user accounts across various organizations. Researchers have identified numerous successful breaches resulting in unauthorized access, showcasing a significant evolution in how legitimate security tools are being exploited for harm.

At the center of this campaign is TeamFiltration, an open-source penetration testing framework designed for cloud environments. Initially released at DefCon30 in August 2021, TeamFiltration automates tasks frequently associated with modern account takeover attacks.

Researchers from Proofpoint have observed that UNK_SneakyStrike’s activities tend to include concentrated bursts of login attempts, often targeting all users in smaller cloud tenants while focusing on a subset in larger organizations. These periods of activity are often followed by lulls lasting four to five days.

The spike in attacks reached its peak on January 8, 2025, when 16,500 accounts were targeted in just one day. This attack pattern highlights the growing sophistication of threat actors who can impersonate legitimate users while using cloud infrastructure to mask their identities.

Data from Proofpoint indicates that the majority of attacks originate from IP addresses in the United States (42%), followed by Ireland (11%) and the United Kingdom (8%). Experts recommend that organizations implement robust security measures, including blocking the identified IP addresses, enabling multi-factor authentication, and enforcing OAuth 2.0 protocols.

Proofpoint has also linked malicious activity to TeamFiltration through identifiable user agent signatures. As part of its recommendations, the cybersecurity firm encourages continuous monitoring and log reviews to safeguard sensitive accounts against further exploitation.