A new and concerning trend is being observed in ransomware attacks where the threat actors are using email bombing campaigns followed by social engineering tactics via Microsoft Teams to gain initial access to target networks.
The malicious actors send thousands of spam messages in a short duration and then call the target from an adversary-controlled Office 365 instance pretending to provide IT support.
This tactic surfaced late last year in attacks conducted by the ransomware group Black Basta. However, researchers at Sophos have observed this technique being used by other threat actors suspected to be connected to the FIN7 group.
The hackers leverage the default Microsoft Teams configuration that permits calls and chats from external domains to connect with the company employees of the target organization.
The security researchers have analyzed two distinct campaigns. The first is linked to a group dubbed STAC5143. It involves overwhelming targets with spam emails and then initiating a Teams call from an apparently genuine “Help Desk Manager” account. This call manipulates the victim into granting remote control access, allowing the attackers to deploy malware, including a Java archive (MailQueue-Handler.jar). This JAR file runs commands to download a genuine ProtonVPN executable, which side-loads a malicious DLL (nethost.dll) and Python-based scripts (RPivot backdoor).
The second campaign, attributed to STAC5777, employs similar tactics but utilizes Microsoft Quick Assist to gain remote access. This campaign leverages Azure Blob Storage to host malware (winhttp.dll) that steals credentials, logs keystrokes, and scans the network for vulnerable systems via SMB, RDP, and WinRM.
The researchers observed that the malicious actor tried to access local Notepad and Word documents containing ‘password’ as the file name and access two RDP files, possibly searching for credential locations.
Both campaigns demonstrate the increasing sophistication of ransomware groups, leveraging legitimate business tools like Microsoft Teams and Quick Assist for malicious purposes.
To mitigate these threats, organizations are advised to:
• Restrict external domains from initiating Teams calls and messages.
• Disable Quick Assist in critical environments.
• Implement robust security awareness training programs to educate employees about social engineering tactics.
• Regularly review and update security policies and procedures.
By proactively addressing these security measures, organizations can significantly reduce their risk of falling victim to these evolving ransomware attacks.
