Hackers are using the Teamfility Penting Framework in hundreds of organizations worldwide to target more than 80,000 Microsoft Entra ID accounts.
The campaign began in December last December and researchers at the cyber security company proofpoint say that the researchers have successfully abducted several accounts, creating activity to a danger actor, called unk_sneakystrike.
According to the researchers, the shikhar of the campaign took place on January 8, when it targeted 16,500 accounts in a single day. This type of rapid burst had several days of inactivity.
Source: Proofpoint
Teamfility Enumerating, spraying, exfiltrating, and backdoring O365 is a cross-platform framework for entraid accounts. It was published in 2022 by TrustDesch Red-Team researcher Melvin Langvik.
The proofpoint in the Unk_sneakystrike campaign plays a central role in facilitating large -scale infiltration efforts.
Researchers reported that the actor targets all users in small tenants, while the elder one selects only one of the most one of the unk_sneakystrike.
“Since December 2024, unk_sneakystrike activity has affected over 80,000 targeted user accounts in hundreds of organizations, resulting in many cases of successful account acquisition, resulting in many cases” Proof point Tell me,
Researchers, after identifying a rare user agent, connected malicious activity to teamfility, as well as matching the hardcoded OATH client ID in the argument of the tool.
Other teletell signals include the attendance pattern for inconsistent applications and the presence of an old snapshot of the Foci project embedded in the Teamfiltration code.
The attackers used AWS servers in many areas to launch attacks, and used a ‘sacrifice’ office 365 account with a business basic license to misuse Microsoft Teams API for account calculations.
Source: Proofpoint
Most attacks arise from IP addresses located in the United States (42%), followed by Ireland (11%) and UK (8%).
Organizations must block all IP listed in the indicators of the proofpoint’s agreement section, and make detection rules for teamfility user agent string.
In addition, it is recommended to enable multi-factor authentication for all users, applying oauth 2.0 and using conditional access policies in Microsoft Entra ID.
Patching meant complex scripts, long and endless fire drills. No more.
In this new guide, the tines break down how it is leveling with modern organ automation. Patch fast, reduce overhead, and focus on strategic tasks – no complex script is required.
