- Hackers abusing a legitimate tool to target the Entra ID accounts
- Password spraying attack targeted approx. 80,000 accounts
- Attackers managed to take over some accounts, access Microsoft -Teams, OneDrive, Outlook -Data
Cyber criminals have been seen abusing a legitimate penetration testing tool to target people’s entra ID user accounts with password-spraying attacks, experts warned Hgave.
In an in -depth analysis that is shared with Techradar ProCyber security researchers from proofpoint claimed that tens of thousands of accounts were targeted and a few were compromised.
The researchers said the unnamed threat actors engaged in a large -scale attack they called UNK_SNEAKYSTRIKE.
“More” accounts compromised
In this campaign, attackers used a legitimate pentesting tool called team filtration.
This tool was created by a threat scientist in early 2021 and published publicly on DEFCON30. It helps to automate multiple tactics, techniques and procedures (TTPs) used in modern Ato attack chains.
“As with many security tools originally created and released for legitimate uses, such as penetration testing and risk assessment, team filtration was also utilized in malicious activity,” explained Proofpoint.
The researchers said the campaign probably started in December 2024. By abusing Microsoft Teams API and Amazon Web Services (AWS) servers located worldwide, they were able to launch user-prayer and password-spraying attacks and target about 80,000 user accounts over approx. 100 Sky tenants.
The three primary source geographies from which the attacks originated include the United States (42%), Ireland (11%) and the UK (8%).
Proofpoint said that attackers in “several cases” managed to take over accounts and access to valuable information in Microsoft teams, OneDrive, Outlook and other productivity tools.
There was no attribution, so we don’t know if any organized threat actor is sitting behind this campaign. The researchers focused mainly on the use of legitimate tools for uneven purposes and said they can easily “easily weapon weapons in an attempt to compromise user accounts, exfilter sensitive data and establish a continuing foothold.
“Proofpoint expects threat actors to increasingly adopt advanced penetration tools and platforms, such as team filtration as they turn away from less effective penetration methods.”
