In this episode, we dissect UNK_SneakyStrike—a major account takeover campaign targeting Microsoft Entra ID users with precision and scale. Tracked by Proofpoint, this campaign began in December 2024 and has since escalated, leveraging TeamFiltration, a legitimate penetration testing tool, to enumerate users and launch password spraying attacks that have compromised over 80,000 accounts across 100+ cloud tenants.
We explore how attackers are weaponizing red team tools, abusing Microsoft Teams and OneDrive APIs, and even exploiting refresh tokens for persistent access—turning standard identity infrastructure into their playground. With origins traced to AWS infrastructure in the U.S., Ireland, and the UK, the campaign represents a dangerous convergence of identity-based threats, cloud misconfigurations, and cross-cloud attack surfaces.
Join us as we walk through:
🔹 The operational characteristics and attack patterns of UNK_SneakyStrike
🔹 Why password spraying remains effective—and undetected—in the cloud
🔹 How Microsoft Entra’s gaps, like token handling and user enumeration exposure, played a role
🔹 Real-world risks: unauthorized access, lateral movement, and long-term persistence
🔹 The importance of multi-factor authentication, Zero Trust, real-time threat intelligence from AWS’s MadPot and Mithra, and security hygiene
🔹 Concrete mitigation strategies to reduce exposure to identity-focused attacks
This is a must-listen for IT admins, CISOs, cloud security professionals, and anyone responsible for protecting digital identities in Microsoft and hybrid cloud environments.
