A sophisticated cyberattack campaign, identified as UNK_SneakyStrike, has been exploiting the TeamFiltration penetration testing framework to compromise Microsoft Entra ID (formerly Azure Active Directory) accounts. Since December 2024, this campaign has targeted over 80,000 user accounts across hundreds of organizations, leading to multiple successful account takeovers.
TeamFiltration: From Security Tool to Cyber Weapon
Originally developed for legitimate penetration testing, TeamFiltration is a cross-platform framework designed to simulate intrusions in Office 365 and Entra ID environments. Its capabilities include:
– Account Enumeration: Identifying valid user accounts within a target environment.
– Password Spraying: Attempting to access accounts using common or systematically varied passwords.
– Data Exfiltration: Extracting sensitive information such as emails and files.
– Persistence via OneDrive: Uploading malicious files to a victim’s OneDrive, replacing legitimate documents with lookalikes containing malware to maintain access.
Despite its original intent for security assessments, cybercriminals have weaponized TeamFiltration to conduct unauthorized attacks against organizations.
Attack Methodology and Infrastructure
The UNK_SneakyStrike campaign employs a combination of Microsoft Teams API and Amazon Web Services (AWS) servers across various geographical regions to execute user enumeration and password spraying attacks. This distributed approach aids in evading detection and maintaining operational resilience.
The attackers exploit Microsoft’s OAuth client application ecosystem, targeting specific client applications within Microsoft’s family refresh token group. This allows them to obtain authentication tokens that can be exchanged across multiple Microsoft services, facilitating unauthorized access.
Indicators of Compromise and Detection
Organizations should be vigilant for signs of compromise, including:
– Unusual Sign-In Attempts: Monitor for login attempts from suspicious IP addresses and user agents, particularly those originating from AWS regions.
– OAuth Application Audits: Regularly review and audit OAuth applications and client IDs within Entra ID, especially those referenced in penetration testing tools.
– Multi-Factor Authentication (MFA): Enforce MFA across all user accounts and restrict the use of legacy authentication protocols.
Mitigation Strategies
To defend against such sophisticated attacks, organizations are advised to:
– Implement Robust Access Controls: Ensure that access policies are stringent and regularly updated to prevent unauthorized access.
– Continuous Monitoring: Utilize advanced monitoring tools to detect and respond to suspicious activities promptly.
– Employee Training: Educate staff about the risks of phishing and other social engineering tactics that could lead to credential compromise.
The misuse of legitimate security tools like TeamFiltration underscores the evolving sophistication of cyber threats and the necessity for proactive defense strategies.
