eSentire's Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Recent Threat Intelligence Advisories
Noteworthy News
Attackers Unleash TeamFiltration: Account Takeover Campaign
Bottom Line: Proofpoint published a report on an account takeover campaign, dubbed UNK_SneakyStrike. The ongoing campaign involves the use of the TeamFiltration penetration testing framework, with the goal of compromising Entra ID accounts.
On June 11th, 2025, Proofpoint published a report detailing an ongoing Account Takeover (ATO) campaign that leverages TeamFiltration, a legitimate penetration testing tool, to target Entra ID accounts. The activity, which Proofpoint tracks under the name UNK_SneakyStrike, has been active since December 2024.
TeamFiltration is a publicly available cross-platform (supports Linux, Windows, and Mac) framework, commonly used by penetration testers and security researchers for “enumerating, spraying, exfiltrating, and backdooring O365 EntraID accounts”. The tool is capable of exfiltrating Microsoft Teams data (chat logs, attachments, and contacts list), files shared via OneDrive, Microsoft Outlook data (email contents and attachments), and data from Graph API including domain information, users, and groups. The tool exploits the family refresh tokens issued by Entra ID. Refresh tokens are standard OAuth2.0 tokens possessing a lifetime of 90 days enabling the user to obtain new access token called bearer tokens for any external resources such as Microsoft 365, the Azure portal, and other SaaS applications.
The investigation in the UNK_SneakyStrike campaign revealed a user agent associated with an outdated version of Microsoft Teams being used by TeamFiltration. The tool relies on an Amazon Web Services (AWS) account to launch intrusion activities, enabling password spraying attacks to be conducted from various AWS regions. It also requires a Microsoft 365 Business Basic licensed account to enumerate valid user accounts, leveraging the Microsoft Teams API to verify their existence. The researchers found that the threat actors spoofed the Microsoft Teams user agent to carry out unauthorized access attempts. The threat actors leveraged AWS server located in various regions and Microsoft API to facilitate user enumeration and password spraying through the TeamFiltration tool.
The UNK_SneakyStrike campaign has been active since December 2024, with its peak observed in January 2025. The campaign has impacted over 80,000 user accounts across 100 Cloud tenants, resulting in several account takeover incidents. Proofpoint found that the campaign targeted all user accounts within smaller cloud tenants, while only a limited number of user accounts were targeted in larger cloud tenants. The campaign was characterized by a spike in unauthorized access attempts within a defined timeframe, followed by a dormant period lasting four to five days.
eSentire Threat Intelligence Analysis:
The UNK_SneakyStrike campaign highlights the security risks associated with dual-use cybersecurity tools. Threat actors have been exploiting legitimate penetration testing tools for malicious purposes. Using publicly available penetration testing tools for intrusion attacks allows threat actors to bypass the challenge of identifying an initial access vector, while also providing a detection evasion advantage. Their presence on the network is significantly harder to detect, making it more difficult for defenders to distinguish between authorized assessments and malicious behavior. This underscores the importance of adopting advanced, behavior-based detection strategies, as opposed to relying exclusively on traditional signature-based approaches.
By leveraging TeamFiltration’s backdoor capabilities, the attackers can establish persistent access to compromised environments, allowing them to maintain a foothold for potential use in future attacks. Mitigating such threat actor activity requires a robust incident response strategy focused on thoroughly identifying, containing, and eradicating attacker access from the environment. The observation of user agent spoofing attempts further emphasizes attackers' awareness of detection methods and their efforts to circumvent them.
The attack pattern noted by Proofpoint, where the ATO campaign targeted all user accounts on smaller cloud tenants while only a subset on larger ones demonstrates a sophisticated understanding of organizational scale and monitoring capabilities. A full enumeration might be less conspicuous in a smaller environment, while a more focused approach is necessary in larger, more heavily monitored enterprises. Similarly, the burst-and-lull pattern followed in unauthorized access attempts can be categorized as a deliberate evasion technique, intended to bypass simple threshold-based detection systems.
To defend against unauthorized access attempts targeting cloud services like Entra ID, organizations should routinely review audit and sign-in logs, actively monitor for unusual login behavior, and identify patterns that may indicate malicious activity. Maintaining a robust incident response plan is essential, as it supports the recovery process in the event that initial detection mechanisms fail to identify the malicious activity. The eSentire Threat Response Unit (TRU) is tracking this topic to develop detection opportunities across the MDR Suite.
June Microsoft Patch Tuesday Release
Bottom Line: Microsoft's Patch Tuesday release for June 2025 included patches for a total of 66 vulnerabilities. One vulnerability from the release is a confirmed zero-day exploit with publicly available Proof-of-Concept (PoC) exploit code, observed being targeted by the APT group Stealth Falcon.
In the June Microsoft Patch Tuesday release, the company disclosed a total of 66 vulnerabilities, a slight decrease compared to the May release. Out of the 66 vulnerabilities, ten are rated as critical, and one is confirmed to be actively exploited prior to patch release. Out of ten critical vulnerabilities, eight are classified as remote code execution (RCE) vulnerabilities, while the other two are elevation of privilege vulnerabilities.
The exploited and publicly disclosed vulnerabilities are as follows:
- CVE-2025-33053 (CVSS: 8.8): Web Distributed Authoring and Versioning (WEBDAV) Remote Code Execution Vulnerability
- The flaw was reported to Microsoft by Check Point, who confirmed that it had been exploited in the wild
- Check Point discovered that the APT group Stealth Falcon exploited the vulnerability to deploy Horus Agent, a custom implant, which in turn leads to the Mythic Command-and-Control (C2) open-source framework, within the network of a Turkish defense organization
- CVE-2025-33073 (CVSS: 8.8): Windows SMB Client Elevation of Privilege Vulnerability
- “Improper access control in Windows SMB allows an authorized attacker to elevate privileges over a network”
- An attacker that executes a crafted malicious script could coerce a victim’s machine into connecting and authenticating over SMB to the attacker’s server
- At the time of writing, there have been no reports of the vulnerability being actively exploited in the wild
Other notable vulnerabilities addressed by the patches include CVE-2025-33071 (CVSS: 8.1), CVE-2025-47167 (CVSS: 8.4) and CVE-2025-33070 (CVSS: 8.1). CVE-2025-33071 is a Remote Code Execution (RCE) vulnerability within Windows KDC Proxy Service, while CVE-2025-47167 is an RCE vulnerability within Microsoft Office. CVE-2025-33070 is an elevation of privilege vulnerability in Windows Netlogon. These vulnerabilities have no reported Proof-of-Concept (PoC) exploit code, and no current reports of active exploitation, but have all been deemed as “Exploitation More Likely” by Microsoft.
eSentire Threat Intelligence Analysis:
Check Point researchers state that the APT group Stealth Falcon is continuously evolving its tactics to become even more effective. The threat actors’ recent operations showcase a creative approach to infection chains, utilizing WebDAV, LOLBins, multi-stage loaders, and a combination of native and .NET components. The group is known to target Middle East and Africa, and its activities are linked to United Arab Emirates government. It is important to note that on June 12th, 2025, GitHub user DevBuiHieu published Proof-of-Concept (PoC) exploit code for this zero-day vulnerability. As PoC exploit code for this vulnerability is publicly available, eSentire's Threat Intelligence team assesses that exploit attempts targeting CVE-2025-33053 will likely increase in the near future.
Within the Frequently Asked Questions (FAQ) sections of some of the vulnerability pages addressed in the June 2025 Patch Tuesday release, Microsoft has stated that security updates for Microsoft 365 were “not immediately available". Microsoft has not provided comment on the specific reason for the delay in Microsoft 365 patches. As of writing, Microsoft states "The updates will be released as soon as possible, and when they are available, customers will be notified via a revision to this CVE information."
In cases where vulnerabilities are being exploited prior to patch release, Endpoint Detection and Response (EDR) capabilities can act as a stop-gap solution, by identifying known techniques and tools employed post compromise. Outside of zero-days, it is recommended to prioritize the patching of vulnerabilities in Internet-facing applications. These flaws are high value to threat actors, as they may enable initial access into victim companies. Vulnerability management services can aid in the identification and remediation of high priority vulnerabilities. eSentire Managed Vulnerability Service (MVS) has plugins in place to identify devices vulnerable to all the CVEs listed in this briefing.
Increased Risk of Iranian Cyberattacks
Bottom Line: Following kinetic attacks by Israel on multiple Iranian targets, the eSentire Threat Intelligence team assesses that there is a probability of retaliatory cyberattacks by Iranian APT groups targeting both government and private organizations in Israel and allied countries.
On June 12th and 13th, 2025, Israel conducted preemptive strikes against Iran, targeting a uranium enrichment facility, nuclear research centers, military bases, and other targets. The initial attack resulted in the death of high-ranking Iranian military and Islamic Revolutionary Guard Corps (IRGC) members. This military engagement is tracked under the name Operation Rising Lion; the reported goal is degrading Iran’s nuclear capabilities.
At the time of writing, cyberattacks related to this engagement have not been reported. eSentire assesses with medium confidence that a portion of Iran’s response to this operation will include cyberattacks. Future Iranian cyberattacks may impact both private and government organizations in Israel and allied countries. Israel and its allies also face an increased risk of targeting by pro Iranian hacktivist groups, although these attacks will likely be less impactful than the state response.
Iranian threat actors employ a variety of different means to gain initial access into victim organizations. These include, but are not limited to, phishing and other social engineering-based vectors, bruteforce attacks, and the exploitation of vulnerabilities in Internet-facing assets. The goal of cyberattacks would likely include data theft for espionage purposes, and potentially the deployment of destructive wiper malware for disruption and retribution.
eSentire Threat Intelligence Analysis:
Cyberattacks may be viewed by the Iranian government as a viable response to the recent kinetic attacks by Israel. While the primary target of activity is expected to be Israel, the U.S. awareness/encouragement of the operation, and past military support of Israel, increases the likelihood of attacks against U.S. organizations.
Hacktivist activity following Israel’s attack is also possible. Hacktivist activity is less sophisticated than attacks carried out by APT groups but may still be impactful. These attacks may include website defacements, hack-and-leak operations, and the deployment of ransomware or wiper malware. Iranian hacktivist activity has previously been reported following attacks on the country, including the 2020 assassination of the Iranian General Qassem Soleimani.
Organizations with operations in or affiliations to Israel are strongly encouraged to take proactive security steps. These include ensuring Endpoint Detection and Response (EDR) agents are deployed to all supported assets, enforcing the use of Multi-Factor Authentication (MFA), and ensuring that all Internet-facing assets are up to date with security patches. Additional recommendations for organizations classified as Critical Infrastructure include implementing network segmentation and reviewing programmable logic controllers (PLCs) for default or weak passwords.
In response to this activity, the eSentire Threat Response Unit (TRU) published an advisory on the topic and has reviewed detection capabilities relating to Iranian APT groups.
About the threat briefings:
The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.
