A new chapter in the ongoing battle for cloud security unfolded recently, as researchers disclosed a brazen and remarkably methodical campaign that has compromised over 80,000 user accounts spanning hundreds of organizations. The abuse of penetration testing tools—originally intended as shields for defenders—has become a sword wielded with alarming efficacy, drawing fresh attention to the dangerous intersection of legitimate software and malicious innovation.
Launched as early as December 2024 and primed for maximum effect through January 2025, the attack campaign named “UNK_SneakyStrike” by Proofpoint casts a long shadow over the global Microsoft 365 and Entra ID landscape. By subverting TeamFiltration, a legitimate penetration testing tool released to the security community by TrustedSec, the attackers engineered an expansive password-spraying offensive. Where once the tool empowered defenders to probe their own organizations for weak spots, it is now refashioned as a mechanism for unprecedented credential compromise.
This is not an isolated story. The history of cybersecurity is littered with repurposed tools, Cobalt Strike being the classic cautionary tale. Yet TeamFiltration’s ease of access and cloud-specific capabilities mark a chilling new evolution. According to Proofpoint’s research, the UNK_SneakyStrike actors relied on the tool’s ability to blend with legitimate network traffic and to systematically probe organizational boundaries by leveraging the Microsoft Teams API—a legitimate communications bridge, ironically turned into an early warning system for attackers.
The initial attack phase leverages “account enumeration,” abusing the Microsoft Teams API via disposable Office 365 accounts. By validating which user accounts exist within a target tenant, attackers can efficiently direct their password-spraying efforts, minimizing noise and maximizing success rates. These password sprays themselves occur in short, intense bursts—hammering a tenant for a brief period before retreating into days-long lulls, a tactic designed to elude detection by anomaly-based security tools.
The sophistication continues with the exploitation of OAuth infrastructure. By targeting specific Microsoft OAuth client IDs, the attackers attempt to acquire family refresh tokens. These tokens—often more privileged than standard credentials—unlock lateral movement across other Microsoft services like Outlook and OneDrive, amplifying the damage far beyond the initial point of compromise.
The use of outdated but distinctive user agent strings embedded in TeamFiltration allowed researchers to fingerprint the campaign, but this detection vector is brittle—future iterations could easily update such signatures to further obfuscate their operations. The attackers’ command over operational security, from strategic pausing to the surgical selection of OAuth targets, signals a maturity often attributed to state-sponsored actors or top-tier organized crime.
The campaign also serves as a chilling reminder that even organizations with well-maintained security postures can fall victim to sophisticated abuse of “trusted” software and APIs. Tools like TeamFiltration fly under the radar of security controls designed to detect known malware, and their operation can be nearly indistinguishable from the activities of internal IT or external testers.
Just as with the 2022 Cobalt Strike abuse targeting Microsoft SQL servers, and the more recent exploitation of Dynamics 365’s Customer Voice application—where threat actors bypassed multi-factor authentication to steal login credentials—the new wave of attacks capitalizes on the trust placed in legitimate platforms, automated processes, and the gaps between user convenience and security.
Analysts now widely agree, as underscored in both Proofpoint and RSA Security’s trend reports, that AI-augmented password spraying and the abuse of identity federation tokens will only accelerate through this year and beyond. The ease with which advanced toolkits are repurposed for malicious use compounds the pressure on defenders to detect what increasingly looks like regular, authorized activity.
Yet, several persistent—and, if anything, expanding—risks should be highlighted:
Novel abuses of legitimate APIs, rapidly rotating cloud servers, and the subtle mimicry of real user behavior will continue to make detection and response progressively harder. Meanwhile, the ready availability of pentesting software—well-documented and engineered for ease—will fuel both legitimate and malicious innovation.
The path forward will demand holistic approaches—combining technical controls, vigilant monitoring, cross-industry intelligence, and relentless user education. As the frontier between attacker and defender continues to blur, only those who constantly adapt, anticipate, and collaborate will hold the line against the next wave.
For Microsoft 365 and Entra ID customers—indeed, for any business operating in the cloud—the time to reassess and reinforce identity and access management has never been more urgent. The attackers are watching, learning, and waiting. So must we.
Source: WinBuzzer Microsoft 365: Hackers Abuse Pentesting Tool for Widespread Attack on 80,000 User Accounts - WinBuzzer
The Anatomy of UNK_SneakyStrike: How Hackers Reversed the Script on Security Tools
Launched as early as December 2024 and primed for maximum effect through January 2025, the attack campaign named “UNK_SneakyStrike” by Proofpoint casts a long shadow over the global Microsoft 365 and Entra ID landscape. By subverting TeamFiltration, a legitimate penetration testing tool released to the security community by TrustedSec, the attackers engineered an expansive password-spraying offensive. Where once the tool empowered defenders to probe their own organizations for weak spots, it is now refashioned as a mechanism for unprecedented credential compromise.The Role of TeamFiltration: A Double-Edged Sword
TeamFiltration's notoriety in this campaign is both technical and symbolic. Born as an internal project in 2021 and unveiled publicly at DEF CON 2022, TrustedSec’s framework was applauded for its utility in simulating real-world attacks, especially those centered on cloud environments and identity systems like Microsoft Entra ID (formerly Azure AD). Its features—comprehensive account enumeration, intelligent data exfiltration, and automated IP rotation using FireProx—mirrored “red team” needs for stealth and scale. Unfortunately, those same attributes lower the barrier for threat actors, turning what was meant as a pen-tester’s toolkit into a cybercriminal’s weapon.This is not an isolated story. The history of cybersecurity is littered with repurposed tools, Cobalt Strike being the classic cautionary tale. Yet TeamFiltration’s ease of access and cloud-specific capabilities mark a chilling new evolution. According to Proofpoint’s research, the UNK_SneakyStrike actors relied on the tool’s ability to blend with legitimate network traffic and to systematically probe organizational boundaries by leveraging the Microsoft Teams API—a legitimate communications bridge, ironically turned into an early warning system for attackers.
Methodology: From Enumeration to Exploitation
The campaign’s execution demonstrates a blend of automation, strategy, and patience. Launching attacks from Amazon Web Services (AWS) infrastructure, the actors orchestrated a relentless rotation of IP addresses, making it extremely difficult for defenders to block malicious traffic based on simple location-based filters. Analysis reveals approximately 42% of attacks originated from US servers, with significant volumes from Ireland and the UK as well.The initial attack phase leverages “account enumeration,” abusing the Microsoft Teams API via disposable Office 365 accounts. By validating which user accounts exist within a target tenant, attackers can efficiently direct their password-spraying efforts, minimizing noise and maximizing success rates. These password sprays themselves occur in short, intense bursts—hammering a tenant for a brief period before retreating into days-long lulls, a tactic designed to elude detection by anomaly-based security tools.
The sophistication continues with the exploitation of OAuth infrastructure. By targeting specific Microsoft OAuth client IDs, the attackers attempt to acquire family refresh tokens. These tokens—often more privileged than standard credentials—unlock lateral movement across other Microsoft services like Outlook and OneDrive, amplifying the damage far beyond the initial point of compromise.
The Blurry Line: Legitimate Tools, Illegitimate Intent
What makes UNK_SneakyStrike especially dangerous is its fundamental reliance on infrastructure and tools used daily by organizations for non-malicious reasons. This blurring of lines renders traditional signature-based and reputation-based defenses increasingly obsolete.The use of outdated but distinctive user agent strings embedded in TeamFiltration allowed researchers to fingerprint the campaign, but this detection vector is brittle—future iterations could easily update such signatures to further obfuscate their operations. The attackers’ command over operational security, from strategic pausing to the surgical selection of OAuth targets, signals a maturity often attributed to state-sponsored actors or top-tier organized crime.
Risks and Implications for Organizations: Beyond the Headline Numbers
The compromise of over 80,000 user accounts is only one metric of the campaign’s reach—its true significance lies in what comes next. Account takeovers serve as springboards for further compromise: internal phishing, data exfiltration, financial fraud, or even ransomware delivery. The interconnectedness of the Microsoft 365 ecosystem means a single breached account can unleash chaos across Outlook, SharePoint, OneDrive, Teams, and a range of Azure services. The ready availability of these offensive security frameworks—and growing technical documentation to accompany them—means replication by less experienced actors becomes alarmingly feasible.The campaign also serves as a chilling reminder that even organizations with well-maintained security postures can fall victim to sophisticated abuse of “trusted” software and APIs. Tools like TeamFiltration fly under the radar of security controls designed to detect known malware, and their operation can be nearly indistinguishable from the activities of internal IT or external testers.
The Precedent: Echoes of Recent Attacks
UNK_SneakyStrike is part of a disturbing trend, not a singular anomaly. Its tactics echo the infamous “Midnight Blizzard” breach, a 2024 event attributed to Russian state-sponsored attackers who not only compromised executive email accounts within Microsoft’s own ranks but also exfiltrated source code—a fact that emerged only in subsequent disclosures. Both incidents highlight a reliance on password spray techniques, exploiting weak or recycled passwords to gain an initial foothold.Just as with the 2022 Cobalt Strike abuse targeting Microsoft SQL servers, and the more recent exploitation of Dynamics 365’s Customer Voice application—where threat actors bypassed multi-factor authentication to steal login credentials—the new wave of attacks capitalizes on the trust placed in legitimate platforms, automated processes, and the gaps between user convenience and security.
Analysts now widely agree, as underscored in both Proofpoint and RSA Security’s trend reports, that AI-augmented password spraying and the abuse of identity federation tokens will only accelerate through this year and beyond. The ease with which advanced toolkits are repurposed for malicious use compounds the pressure on defenders to detect what increasingly looks like regular, authorized activity.
Critical Analysis: Strengths of the Defensive Community—and Its Gaps
The rapid detection and in-depth analysis of the UNK_SneakyStrike campaign speaks to the maturity of today’s cybersecurity research ecosystem. Proofpoint’s ability to correlate traffic, deduce attack origins, and fingerprint attacker infrastructure (despite the use of legitimate cloud providers and a distributed global footprint) is testament to the advances in threat intelligence sharing and analytic rigor. The collaborative nature of public disclosure and research—between tool authors, cloud providers, and defenders—undoubtedly helps raise awareness and arms organizations with actionable intelligence.Yet, several persistent—and, if anything, expanding—risks should be highlighted:
- The Weaponization of Open Source: Security tools from TeamFiltration to Cobalt Strike and beyond are publicly available by design, intended to democratize defensive testing. The inexorable march toward open knowledge in security means this genie will not go back in the bottle.
- Cloud Infrastructure as an Attack Enabler: Threat actors’ adept use of public cloud services like AWS for launching attacks present new challenges for defenders. These services’ ubiquity and legitimacy make detecting abuse extremely difficult without context-aware security analytics.
- API and Authentication Abuse: Tactics such as leveraging the Microsoft Teams API for account enumeration demonstrate how “normal” platform use can be subverted for reconnaissance. Similarly, attacks against OAuth and token infrastructure evade many traditional credential theft protections and threaten the security of even multi-factor authentication implementations.
- Detection Evasion Techniques: The attackers’ rhythmic switching between activity and dormancy, along with customized user agent strings, signals a level of operational discipline designed specifically to defeat timing- and pattern-based defenses.
- The Expanding Attack Surface: As Microsoft Entra ID and the Azure ecosystem underpin more and more business operations world-wide, the risk associated with any single point-of-failure (especially federated identity) multiplies.
Practical Guidance: What Organizations Need to Do Now
In the wake of the UNK_SneakyStrike disclosures, several actionable defenses emerge—not silver bullets, but vital mitigations that can tilt the odds in defenders’ favor:Implement Robust Password Policies and Monitor for Credential Abuse
First and foremost, organizations must enforce strong password complexity and regular rotation. Passwords already exposed in breaches should be proactively blocked using threat intelligence feeds (such as Microsoft’s “password protection for Windows Server Active Directory” policies). Continuous monitoring for login anomalies—especially failed logins from new geographic regions or rapid password sprays—is critical.Harden and Monitor OAuth Applications
Given the attackers’ focus on family refresh tokens, reviewing registered applications and their permissions in Entra ID is paramount. Limit the scope and access of OAuth applications wherever feasible, and tactically constrain which applications can use privileged permission grants. Routinely audit these tokens and application IDs for signs of abuse.Enhance Cloud Provider Security Posture
Leverage cloud-native security tools such as Azure AD Identity Protection, Conditional Access policies, and continuous session monitoring. Apply geo-fencing and risk-based conditional access. Where possible, integrate third-party advanced threat protection to identify suspicious or rapid account enumeration activities.Segment and Restrict API Usage
Many attacks rely on API abuse for reconnaissance—why not restrict which internal identities or roles can access sensitive API endpoints? Monitor and alert on high-volume or abnormal queries to collaboration APIs like the Microsoft Teams endpoint.Train Users and Security Teams
Awareness is essential at both the end-user and security operations (SOC) level. While this attack was technically advanced, the pattern of account takeovers inevitably leads to convincing phishing, lateral movement, or data theft—educate users to spot unusual inbox rules, unrecognized sign-ins, or suspicious data access events.Embrace Threat Intelligence Sharing
Organizations should join industry ISACs (information sharing and analysis centers) or threat intelligence communities to rapidly share indicators of compromise, mitigation strategies, and best practices. Proactive collaboration is the only way to keep pace with the accelerated learning curve of today’s adversaries.Future Outlook: The Escalation of Stealth, Automation, and Scale
The UNK_SneakyStrike campaign may be this quarter’s headline, but its implications are long-term. Automated password-spraying frameworks, API abuse, and token-based attacks have now entered the mainstream toolkits of cybercriminals. With AI-augmented reconnaissance predicted to proliferate through 2025, defenders will be forced to evolve their strategies beyond traditional perimeter monitoring.Novel abuses of legitimate APIs, rapidly rotating cloud servers, and the subtle mimicry of real user behavior will continue to make detection and response progressively harder. Meanwhile, the ready availability of pentesting software—well-documented and engineered for ease—will fuel both legitimate and malicious innovation.
What Must Change
- Widespread Adoption of Defense-in-Depth: Relying on any single defensive layer—be it MFA, token controls, or endpoint protection—is a recipe for failure. Layered controls, context-driven analytics, and zero-trust paradigms must underpin organizational security strategies.
- Continuous Reassessment of Trust: Today’s trusted API call, OAuth app, or cloud session could be tomorrow’s breach vector. Organizations need immediate visibility into all cloud identities, tokens, and permissions and the ability to revoke or challenge anomalous paths on-demand.
- Research and Industry Partnership: The rapid identification of attacks like UNK_SneakyStrike—fingerprinting even small quirks like outdated user agent strings—shows the critical value of open research and vendor collaboration. Continued transparency from cloud providers and researchers is essential.
Conclusion: Defending the Modern Cloud Requires an All-Out, All-In Approach
UNK_SneakyStrike is a warning and a lesson: the very tools built for security can become threats in themselves, and cloud identity platforms have become the new high-value battlegrounds. Organizations must assume that their most trusted processes and APIs will be tested, prodded, and eventually abused by determined adversaries deploying automation and intelligence at scale.The path forward will demand holistic approaches—combining technical controls, vigilant monitoring, cross-industry intelligence, and relentless user education. As the frontier between attacker and defender continues to blur, only those who constantly adapt, anticipate, and collaborate will hold the line against the next wave.
For Microsoft 365 and Entra ID customers—indeed, for any business operating in the cloud—the time to reassess and reinforce identity and access management has never been more urgent. The attackers are watching, learning, and waiting. So must we.
Source: WinBuzzer Microsoft 365: Hackers Abuse Pentesting Tool for Widespread Attack on 80,000 User Accounts - WinBuzzer
