Hackers have been utilizing the TeamFiltration pentesting framework to focus on greater than 80,000 Microsoft Entra ID accounts at lots of of organizations worldwide.
The marketing campaign began final December and has efficiently hijacked a number of accounts, say researchers at cybersecurity firm Proofpoint, who attribute the exercise to a menace actor known as UNK_SneakyStrike.
In line with the researchers, the height of the marketing campaign occurred on January 8, when it focused 16,500 accounts in a single day. Such sharp bursts had been adopted by a number of days of inactivity.
Quantity of assaults launched by UNK_SneakyStrike
Supply: Proofpoint
TeamFiltration is a cross-platform framework for enumerating, spraying, exfiltrating, and backdooring O365 EntraID accounts. It was revealed in 2022 by TrustedSec red-team researcher Melvin Langvik.
Within the UNK_SneakyStrike marketing campaign that Proofpoint noticed, TeamFiltration performs a central position in facilitating large-scale intrusion makes an attempt.
The researchers report that the menace actor targets all customers in small tenants, whereas within the case of bigger one UNK_SneakyStrike selects solely customers from a subset.
“Since December 2024, UNK_SneakyStrike exercise has affected over 80,000 focused consumer accounts throughout lots of of organizations, leading to a number of instances of profitable account takeover,” Proofpoint explains.
The researchers linked the malicious exercise to TeamFiltration after figuring out a uncommon consumer agent the instrument makes use of, in addition to matching OAuth consumer IDs hardcoded within the instrument’s logic.
Different telltale indicators embrace entry patterns to incompatible functions and the presence of an outdated snapshot of Secureworks’ FOCI challenge embedded in TeamFiltration code.
The attackers used AWS servers throughout a number of areas to launch the assaults, and used a ‘sacrificial’ Workplace 365 account with a Enterprise Primary license to abuse Microsoft Groups API for account enumeration.
Quantity of assaults launched by UNK_SneakyStrike
Supply: Proofpoint
Many of the assaults originate from IP addresses positioned in the USA (42%), adopted by Eire (11%) and the UK (8%).
Organizations ought to block all IPs listed in Proofpoint’s indicators of compromise part, and create detection guidelines for the TeamFiltration consumer agent string.
Aside from that, it is strongly recommended to allow multi-factor authentication for all customers, implement OAuth 2.0, and use conditional entry insurance policies in Microsoft Entra ID.
Patching used to imply advanced scripts, lengthy hours, and infinite fireplace drills. Not anymore.
On this new information, Tines breaks down how fashionable IT orgs are leveling up with automation. Patch sooner, scale back overhead, and deal with strategic work — no advanced scripts required.
