.jpg)
An extensive account takeover (ATO) campaign targeting Microsoft Entra ID has been identified by cybersecurity experts, exploiting a powerful open-source penetration testing framework known as TeamFiltration.
First detected in December 2024, the campaign has accelerated rapidly, compromising more than 80,000 user accounts across many cloud environments over the past several years.
It is a sophisticated and stealthy attack operation aimed at breaching enterprise cloud infrastructure that has been identified by the threat intelligence firm Proofpoint with the codename UNK_SneakyStrike, a sophisticated and stealthy attack operation.
UNK_SneakyStrike stands out due to its distinctive operational pattern, which tends to unfold in waves of activity throughout a single cloud environment often targeting a broad spectrum of users.
The attacks usually follow a period of silent periods lasting between four and five days following these aggressive bursts of login attempts, a tactic that enables attackers to avoid triggering traditional detection mechanisms while maintaining sustained pressure on organizations’ defence systems.
Several technical indicators indicate that the attackers are using TeamFiltration—a sophisticated, open-source penetration testing framework first introduced at the Def Con security conference in 2022—a framework that is highly sophisticated and open source.
As well as its original purpose of offering security testing and red teaming services in enterprises, TeamFiltration is now being used by malicious actors to automate large-scale user en
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.