A sprawling cyber campaign has targeted over 80,000 user accounts across hundreds of organizations by turning a publicly available cybersecurity tool into a weapon for large-scale attacks. According to research from cybersecurity firm Proofpoint, the campaign, dubbed “UNK_SneakyStrike,” leverages a penetration testing framework to execute widespread password-spraying attacks against Microsoft Entra ID environments, resulting in multiple successful account takeovers.
The operation, which began in December 2024 and peaked in early January 2025, highlights a significant and evolving threat: the malicious use of legitimate tools designed for security professionals. The attackers are using a framework from GitHub called TeamFiltration, which was created to help security teams simulate intrusions and test defenses. In the hands of the UNK_SneakyStrike actor, however, it has become an effective engine for account compromise, as detailed in Proofpoint’s research.
The campaign underscores the blurring lines between the tools of cyber defense, as the abuse of legitimate applications and frameworks that can fly under the radar can bypass traditional security measures.
Anatomy of a Modern Cloud Attack
The UNK_SneakyStrike campaign is methodical in its execution. The attacks originate from Amazon Web Services (AWS) infrastructure, with threat actors systematically rotating servers across various geographic regions—primarily the United States (42%), Ireland (11%), and Great Britain (8%)—to launch waves of password-spraying attempts. This technique makes the malicious traffic significantly harder to block based on IP addresses alone.
Before launching the password spray, the attackers use the TeamFiltration tool’s enumeration feature to verify the existence of user accounts within a target organization. According to Proofpoint’s analysis, this is accomplished by abusing the Microsoft Teams API via a “sacrificial” or disposable Office 365 account, allowing them to identify valid targets without raising immediate alarms.
The campaign’s activity is characterized by highly concentrated bursts of attacks against a single cloud tenant, followed by quiet periods lasting four to five days, likely a tactic to avoid detection by security monitoring systems.
A Tool Turned Weapon
The TeamFiltration framework was not born a malicious tool. According to a blog post by its creators at TrustedSec, it began as an internal project in January 2021 before being publicly released at the DEF CON security conference in August 2022. Its purpose was to give security professionals a powerful way to simulate modern account takeover scenarios.
Its features include advanced data exfiltration and the ability to automatically rotate IP addresses using services like FireProx, making it a potent, publicly accessible offensive security tool.
Distinguishing the UNK_SneakyStrike campaign from legitimate penetration tests required careful forensic analysis. Researchers identified the activity by spotting a distinctive and outdated user agent string hardcoded into the tool.
Further investigation revealed that the attacks consistently targeted a specific list of Microsoft OAuth client application IDs. This method is used to obtain special “family refresh tokens” from Entra ID, which can then be exchanged for valid access tokens for other connected services like Outlook and OneDrive, dramatically expanding the attacker’s foothold from a single compromised account.
A Persistent and Evolving Threat
This campaign is the latest in a series of significant cyber events targeting the Microsoft ecosystem, often involving similar techniques. It follows the major 2024 breach by the Russian-backed group “Midnight Blizzard.”
While the initial disclosure of the breach focused on the compromise of executive emails, Microsoft later revealed in a security update that the intrusion was far more severe, with attackers accessing and stealing company source code. That incident, like UNK_SneakyStrike, also relied heavily on password spray attacks.
The weaponization of security tools is also a recurring theme. A 2022 report detailed how threat actors targeted Microsoft SQL servers with weak passwords to install backdoors using Cobalt Strike, another popular penetration testing tool.
More recently, a separate campaign saw a botnet attack actively exploiting the Microsoft Dynamics 365 Customer Voice enterprise feedback management application to deceive users and steal their login credentials, including bypassing multi-factor authentication (MFA). The attack poses a significant threat to the vast number of organizations globally that rely on Microsoft 365 and Dynamics 365 for business operations.
This trend of exploiting automated processes and authentication gaps is accelerating, with a recent security trends report from RSA Security predicting a rise in AI-driven password spraying throughout 2025.
These advanced tools are designed to be stealthy; as the report by Ahn Lab’s ASEC group noted in the Cobalt Strike attacks in 2022, the goal is to operate where you are least expected. “As the beacon that receives the attacker’s command and performs the malicious behavior does not exist in a suspicious memory area and instead operates in the normal module wwanmm.dll, it can bypass memory-based detection.”
The rise of sophisticated, publicly available tools like TeamFiltration has lowered the barrier to entry for conducting widespread, effective attacks against cloud environments. As threat actors continue to adopt and refine these methods, the challenge for defenders is no longer just about blocking known malware but about detecting the subtle abuse of legitimate systems and protocols.
While tools such as TeamFiltration are designed to assist cyber security practitioners in testing and improving defense solutions, they can easily be weaponized by threat actors to compromise user accounts, exfiltrate sensitive data, and establish persistent footholds.
