Ransomware gangs are increasingly employing sophisticated tactics, such as email bombing and impersonating tech support through Microsoft Teams, to gain access to company networks. The attackers overwhelm victims with thousands of spam emails in a short span, followed by a call from an adversary-controlled Office 365 account posing as an IT help desk. This approach exploits default Microsoft Teams configurations that permit external calls, enabling the hackers to convince employees to grant remote control access.
One notable campaign involved a group tracked as STAC5143, which began by flooding a target with 3,000 emails in just 45 minutes.
Shortly after, the attackers used a fake Teams account to persuade an employee to set up a remote session. Once access was granted, malware was dropped, including a Java archive and Python scripts hosted on an external SharePoint link. These tools established encrypted communication channels and allowed the attackers to execute second-stage malware, providing further penetration into the victim’s system.
Another campaign, attributed to STAC5777, followed a similar pattern of email bombing and Teams impersonation but used Microsoft Quick Assist for remote access. In this attack, malware was hosted on Azure Blob Storage and executed via side-loading techniques, using legitimate processes to disguise malicious activity. The attackers employed tools to log keystrokes, harvest credentials, and scan the network for additional targets, demonstrating advanced capabilities. The campaign ultimately attempted to deploy Black Basta ransomware, connecting it to the notorious ransomware group.
Sophos researchers believe these tactics aim to steal sensitive data and deploy ransomware. They observed signs of attackers searching for credentials in local files and attempting to exploit network vulnerabilities. Given the increasing prevalence of such methods, organizations are advised to restrict external Teams communications, disable Quick Assist on critical systems, and enhance defenses against social engineering attacks to mitigate risks from these evolving ransomware campaigns.