Proofpoint researchers have identified an ongoing and active account takeover (ATO) campaign active since December 2024. The campaign has targeted over 80,000 user accounts across hundreds of organizations using the TeamFiltration penetration testing tool to compromise Microsoft Entra ID user accounts.

‍

Attack Methodology and Tools

• Account Enumeration: Identifying valid user accounts within targeted environments.
• Password Spraying: Systematically attempting to compromise accounts using commonly used passwords.
• Data Exfiltration: Extracting sensitive data including emails, files, and other critical business information.
• Persistent Access via OneDrive: Uploading malicious files to users’ OneDrive, potentially containing malware to establish ongoing access.

‍

Indicators of Compromise (IOCs)

• User Agent (Default associated with TeamFiltration):
  
  • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Teams/1.3.00.30866 Chrome/80.0.3987.165 Electron/8.5.1 Safari/537.36

• Notable IP Addresses associated with UNK_SneakyStrike:
  • 44.220.31[.]157
  • 44.206.7[.]122
  • 3.255.18[.]223
  • 44.206.7[.]134
  • 44.212.180[.]197
  • 3.238.215[.]143
  • 44.210.66[.]100
  • 3.216.140[.]96
  • 44.210.64[.]196
  • 44.218.97[.]232

‍

Recommended Mitigations and Defensive Actions

• Monitor and Detect: Utilize provided IOCs for enhanced detection capability.
• Implement Strong Authentication: Implement phishing-resistant multi-factor authentication (MFA).
• Audit Application Usage: Regularly review OAuth client applications and Microsoft Entra ID account privileges.
• Restrict AWS Infrastructure Access: Monitor and potentially restrict access attempts originating from AWS regions not normally used by the organization.
• Behavioral Analysis: Employ behavioral analytics to distinguish between legitimate and malicious use of penetration testing tools like TeamFiltration.