Source: The Hacker News
Author: info@thehackernews.com (The Hacker News)
URL: https://thehackernews.com/2025/06/over-80000-microsoft-entra-id-accounts.html
ONE SENTENCE SUMMARY: Attackers exploit TeamFiltration to target Microsoft Entra ID accounts, compromising over 80,000 users via password spraying and enumeration methods.
MAIN POINTS:
- New ATO campaign named UNK_SneakyStrike targets Microsoft Entra ID user accounts.
- Attackers leveraged open-source framework TeamFiltration, originally for penetration testing.
- Over 80,000 user accounts breached across numerous cloud tenants since December 2024.
- Microsoft Teams API and AWS servers were utilized to perform attacks.
- Primary attack methods include password spraying, user enumeration, and data exfiltration.
- Malicious files were uploaded to victims’ Microsoft OneDrive accounts for persistent access.
- Attack waves originated from geographically dispersed AWS servers to evade detection.
- Top attacking regions were United States (42%), Ireland (11%), and Great Britain (8%).
- Attacks occurred in concentrated bursts followed by quiet periods of four to five days.
- Smaller cloud tenants experienced broad targeting, while larger tenants had selective targeting.
TAKEAWAYS:
- Security tools intended for protection can be weaponized by attackers.
- Organizations must monitor for abnormal login attempts and geographic patterns.
- Regularly review and tighten user account access and permissions in cloud environments.
- Implement proactive defenses such as multi-factor authentication to counteract password spraying.
- Remain vigilant about publicly available security frameworks being misused by threat actors.