Connect with us

Cyber Crime

Attackers Pose as IT Support, Hack Systems via Microsoft Teams Calls

Sophos reports cybercriminals exploiting Microsoft Teams to impersonate IT support, steal data, and deploy ransomware.

Published

on

Cybersecurity Alert: Sophos Warns of Microsoft Teams Abuse by Ransomware Operators

Sophos has sounded an alarm over a new wave of cyberattacks targeting organizations via Microsoft Teams. In a report published on Tuesday, the cybersecurity firm revealed that threat actors are impersonating tech support personnel to gain access to victim organizations, with the ultimate goal of stealing sensitive data or deploying ransomware.

The report highlights campaigns orchestrated by two threat groups, tracked as STAC5143 and STAC5777, which have collectively exploited Microsoft Office 365 services, including Teams and Outlook, to execute their malicious activities.

A Surge in Sophisticated Attacks

Sophos disclosed that it has identified over 15 incidents in the past three months, with half of these occurring in just the last two weeks. The report provides an alarming glimpse into how cybercriminals exploit Microsoft’s default configurations and remote access tools to target organizations.

“Both threat actors operated their own Microsoft Office 365 service tenants as part of their attacks and took advantage of a default Microsoft Teams configuration that permits users on external domains to initiate chats or meetings with internal users,” Sophos researchers explained.

Registrations Open for FutureCrime Summit 2025: India’s Largest Conference on Technology-Driven Crime

Tactics Employed by the Threat Actors

Sophos’ investigation unveiled the following common tactics used by the groups:

  • Email Bombing: Overwhelming inboxes of targeted employees to create urgency.
  • Vishing and Video Calls: Impersonating IT support via Teams messages and calls.
  • Remote Control Tools: Using Microsoft Quick Assist or Teams screen sharing to take control of victims’ computers.

How They Differ

The techniques varied between the two groups:

  1. STAC5143:
    • Initiated Teams calls from accounts named “Help Desk Manager,” often appearing legitimate, particularly for organizations using managed IT service providers.
    • Gained remote access via Teams to drop and execute malware from external SharePoint storage.
  2. STAC5777:
    • Relied on email bombing followed by fraudulent Teams messages, claiming to address spam issues.
    • Executed more hands-on-keyboard activities and used scripted commands to maintain persistence and steal credentials.

Links to Ransomware and Past Campaigns

Sophos found connections between the STAC5143 group and Storm-1811, a threat actor known for leveraging tech support scams and deploying Black Basta ransomware. In one case, Sophos’ endpoint protection blocked an attempt by the attackers to execute Black Basta during a ransomware deployment.

“Scammers have been leveraging the Teams open calling feature for some time, but these recent campaigns by ransomware operators are more sophisticated and orchestrated,” said Sean Gallagher, Principal Threat Researcher at Sophos X-Ops.

ALSO READ: ICICI Bank Faces Potential Data Breach; Suspected Ransomware Group ‘BASHE’ Involved

Defensive Measures for Organizations

Sophos has urged organizations to bolster their defenses by implementing the following measures:

  • Restrict External Communications: Configure Microsoft Teams to block messages and calls from external domains.
  • Limit Remote Access Tools: Disable unused remote control applications like Quick Assist.
  • Enhance Employee Training: Educate employees on recognizing social engineering tactics and identify legitimate IT support personnel.
  • Review Security Configurations: Regularly audit organization-wide settings and restrict unnecessary features that could be exploited.

“Organizations using Microsoft 365 should be on high alert,” Gallagher emphasized. “Sophos continues to see new cases linked to these campaigns. Proactively checking configurations and blocking unused remote tools can mitigate risks significantly.”

A Broader Trend in Cybercrime

Gallagher warned that the abuse of communication platforms like Microsoft Teams and Office 365 is a growing trend. The combination of cross-organization messaging, credential theft, and access token abuse makes these platforms attractive targets for cybercriminals.

“Any communication platform that allows external messaging is a potential candidate for this type of attack. Organizations must remain vigilant as attackers innovate new ways to exploit these tools,” Gallagher added.

As ransomware operators become more sophisticated, organizations need to stay one step ahead by adopting robust security measures and fostering a culture of cybersecurity awareness. Sophos’ report underscores the critical need for proactive defenses in a world where collaboration tools are increasingly being weaponized.

By implementing the recommended measures and staying informed, organizations can significantly reduce the risks posed by these emerging threats.

 

Follow The420.in on

 TelegramFacebookTwitterLinkedInInstagram and YouTube

Continue Reading