Cybercriminals are increasingly leveraging AI-generated videos on platforms like TikTok to...
A large-scale account takeover (ATO) campaign, dubbed UNK_SneakyStrike, targeted over 80,000 Microsoft Entra ID accounts across approximately 100 cloud tenants, as reported by The Hacker News on June 12, 2025. The campaign, which peaked in January 2025 with 16,500 accounts targeted in a single day, exploits the open-source penetration testing tool TeamFiltration to conduct password-spraying attacks. These attacks, aimed at Microsoft 365 services like Outlook, Teams, and OneDrive, highlight the growing misuse of legitimate tools for malicious purposes, compromising hundreds of organizations worldwide.
Exploiting TeamFiltration for Malicious Ends
The UNK_SneakyStrike campaign leverages TeamFiltration, a tool designed for defensive security testing, to execute password-spraying attacks that attempt to breach accounts using common or stolen credentials. The attacks, which began escalating in December 2024, operate in concentrated bursts, targeting all users in smaller tenant environments but selectively hitting specific user subsets in larger ones. Malicious activity primarily originates from AWS infrastructure in the United States (42%), Ireland (11%), and Great Britain (8%), making detection challenging due to the use of trusted cloud services.
Evasion Tactics and Detection Challenges
The campaign’s success stems from its ability to evade traditional security measures. By using cloud infrastructure and a legitimate penetration testing tool, attackers blend malicious login attempts with normal traffic, complicating detection efforts. The attacks pause for four to five days between bursts, further reducing visibility. Cybersecurity experts recommend monitoring for unusual login patterns and implementing robust identity threat detection and response (ITDR) solutions to identify and mitigate such threats across Entra ID and other identity platforms.
Broader Implications for Cloud Security
The UNK_SneakyStrike campaign is part of a broader wave of attacks exploiting Microsoft Entra ID vulnerabilities in 2025. Earlier incidents, such as Russian hackers using fake Entra login pages to target NGOs and a legacy login flaw enabling MFA bypass, underscore the platform’s appeal to cybercriminals. These attacks highlight the need for organizations to phase out outdated authentication methods, strengthen multi-factor authentication (MFA), and adopt proactive security measures like continuous threat exposure management (CTEM) to protect cloud environments.
Strengthening Defenses Against Evolving Threats
The UNK_SneakyStrike campaign serves as a critical wake-up call for organizations relying on Microsoft Entra ID and similar cloud services. To counter such threats, businesses must enhance their security posture through regular audits, advanced authentication protocols, and employee training on phishing and credential safety. Tools like Monkey365, an open-source PowerShell scanner for Microsoft 365 and Entra ID, can help automate compliance reviews and identify vulnerabilities. By prioritizing proactive defenses, organizations can better safeguard their digital assets against sophisticated ATO campaigns.
SOURCE: https://thehackernews.com/2025/06/over-80000-microsoft-entra-id-accounts.html
