Attackers Unleash TeamFiltration: Account Takeover Campaign (UNK_SneakyStrike) Leverages Popular Pentesting Tool

    Thursday, June 12, 2025 In: Threat Research Print

    Date: 06/12/2025

    Severity: High

    Summary

    We recently identified an ongoing account takeover campaign, dubbed UNK_SneakyStrike, leveraging the TeamFiltration framework to target Entra ID accounts. Active since December 2024, the campaign has impacted over 80,000 users across hundreds of organizations. Attackers use Microsoft Teams APIs and AWS infrastructure to perform user enumeration and password spraying. Attackers exploited  access to specific resources of native apps like Teams, OneDrive, Outlook, and more.

    Indicators of Compromise (IOC) List

    IP Address :

    44.220.31.157

    44.206.7.122

    3.255.18.223

    44.206.7.134

    44.212.180.197

    3.238.215.143

    44.210.66.100

    3.216.140.96

    44.210.64.196

    44.218.97.232

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    IP Address : 

    dstipaddress IN ("44.220.31.157","44.206.7.122","3.255.18.223","44.206.7.134","44.212.180.197","3.238.215.143","44.210.66.100","3.216.140.96","44.210.64.196","44.218.97.232") or srcipaddress IN ("44.220.31.157","44.206.7.122","3.255.18.223","44.206.7.134","44.212.180.197","3.238.215.143","44.210.66.100","3.216.140.96","44.210.64.196","44.218.97.232")

    Reference:

    https://www.proofpoint.com/us/blog/threat-insight/attackers-unleash-teamfiltration-account-takeover-campaign


    Tags

    Threat ActorTeamFiltrationUNK_SneakyStrikeExploit

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.