Attackers are utilizing the SOAPHound enumeration tool to map Active Directory environments by querying non-existent LDAP attributes. Due to Active Directory's query optimization logic, these queries are transformed into a generic '(! (FALSE))' pattern in Event ID 1644 logs, effectively hiding the tool's signature and bypassing traditional string-based detection mechanisms.