A continuous, widespread cyberattack campaign against UNK_SneakyStrike has exploited over 80,000 user accounts to date across hundreds of organizations’ cloud tenants. In the case of CommonSpirit, malicious activity escalated in December 2024. This increase has led to their use in successful account takeovers, which is worrying cybersecurity professionals and businesses alike.
Recently, the campaign has stepped up its aggression to a tremendous degree. According to reports, UNK_SneakyStrike hit an unbelievable 16,500 accounts in a single day in early January 2024. Now attackers are focusing on Microsoft Entra ID accounts. They leverage tactics such as enumeration, password spraying, exfiltration, and backdooring to compromise these accounts.
Geographic Distribution of Malicious Activity
Analysis of the activity connected to UNK_SneakyStrike shows a troubling geographic concentration. Unfortunately, the United States has taken the lead as the primary source of these attacks. In fact, based on sheer quantity of attack IP addresses, it represents 42% of the activity that we would classify as malicious. Ireland and Great Britain were next, accounting for 11% and 8% of the total activity respectively.
This geographic information is crucial to showing the extreme reach of these attacks. The report spotlights the continuing and alarming trend of organizations adopting cloud services without increasing their security practices to match. This high concentration of malicious activity in these areas highlights the fact that attackers are being selective with their targets. They want to hit both the small and large hyperscale cloud customers.
“UNK_SneakyStrike’s targeting strategy suggests they attempt to access all user accounts within smaller cloud tenants while focusing only on a subset of users in larger tenants,” – Proofpoint.
Tactics Employed by Attackers
UNKSneakyStrike employs several methods to gain access to user accounts. In particular, they take advantage of the Microsoft Teams API, and use Amazon Web Services (AWS) servers located in multiple regions around the world. This complex layering of elements makes it easy for attackers to do user enumeration and password spraying attempts.
On this campaign, we had an unusual pause in the action for about four to five days. Currently, the flare in login attempts indicates that attackers are executing a highly organized attack to take advantage of weaknesses in user accounts. Entities have been advised to be on the lookout and strengthen their security practices in light of this onslaught.
“Attackers leverage Microsoft Teams API and Amazon Web Services (AWS) servers located in various geographical regions to launch user-enumeration and password-spraying attempts,” – Proofpoint.
Response from Service Providers
These unexpected changes have led service providers, including AWS, to respond. They are renewing their promise to protect customer environments against threats. An AWS spokesperson stated, “AWS has clear terms that require our customers to use our services in compliance with applicable law.” They reiterated that their enforcement approach has always been pretty forward-leaning considering the proactive investigations for potential violations.
When breaches are reported, AWS will move quickly to investigate the breach and will require the wrongdoer to cease their activities. “When we receive reports of potential violations of our terms, we act quickly to review and take steps to disable prohibited content,” the spokesperson added. Beyond providing effective tools, AWS promotes collaboration with the security research community to further strengthen safety for everyone.
“We value collaboration with the security research community and encourage researchers to report suspected abuse to AWS Trust & Safety through our dedicated abuse reporting process,” – AWS spokesperson.
