Ransomware Gangs Pose as IT Support in Microsoft Teams Phishing Attacks

Ransomware gangs are increasingly leveraging sophisticated phishing tactics, including email bombing and posing as IT support via Microsoft Teams calls, to compromise organizational networks. By gaining the trust of employees, these attackers install malware that provides remote access, ultimately leading to ransomware deployment and data theft.

Tactics Employed by Ransomware Gangs

The attackers initiate their campaigns by sending thousands of spam emails in a short timeframe to overwhelm their targets. Shortly after, they exploit Microsoft Teams’ default configuration, which allows calls and chats from external domains. Using adversary-controlled Office 365 accounts, they masquerade as IT support representatives to gain credibility with their targets.

This strategy has been observed in campaigns linked to the Black Basta ransomware group and other threat actors connected to the notorious FIN7 gang. The combination of email bombardment and social engineering tactics has proven to be an effective method for bypassing traditional security measures and deceiving employees.

Observed Campaigns

Campaign 1: STAC5143 Group

In the first campaign investigated by Sophos, a group identified as STAC5143 utilized email bombing at a rate of 3,000 messages in just 45 minutes. The victims were then contacted through Microsoft Teams by an account named "Help Desk Manager.

The threat actor guided the victim to set up a remote screen control session and dropped a malicious Java archive (JAR) file named MailQueue-Handler.jar, along with Python scripts for the RPivot backdoor. These files were hosted on an external SharePoint link.

The JAR file executed PowerShell commands to download a legitimate ProtonVPN executable, which side-loaded a malicious DLL (nethost.dll). This DLL established an encrypted command-and-control (C2) channel, granting attackers remote access. The attacker also deployed second-stage malware and utilized penetration testing tools like RPivot for SOCKS4 proxy tunneling.

While similarities to FIN7’s obfuscation techniques and RPivot use were noted, Sophos could not conclusively attribute this campaign to FIN7 due to the availability of these tools in the public domain. The attackers appeared to aim at gaining persistent access to the network for future exploitation, including data theft and ransomware deployment.

Campaign 2: STAC5777 Group

Another campaign, attributed to STAC5777, followed a similar pattern of email bombing followed by Microsoft Teams messages posing as IT support. However, in this case, the attackers used Microsoft Quick Assist to gain direct keyboard access.

Once inside, they downloaded malware hosted on Azure Blob Storage. The malicious DLL (winhttp.dll) was side-loaded into a legitimate Microsoft process (OneDriveStandaloneUpdater.exe) and configured to persist via a PowerShell command that created a startup service. This malware performed keylogging, credential harvesting, and network scanning to identify additional pivot points.

Sophos identified attempts to deploy Black Basta ransomware in this campaign, further linking STAC5777 to the ransomware group. The attackers also accessed local documents containing keywords like “password” and examined Remote Desktop Protocol (RDP) files for credentials.

The campaign highlighted how attackers can combine multiple tools and tactics to maximize the impact of their operations. The use of legitimate software such as Quick Assist and OneDriveStandaloneUpdater.exe underscores the importance of monitoring unusual activities involving trusted applications.

Why These Attacks are Effective

These attacks succeed largely due to their ability to exploit human error and the default settings in widely used collaboration tools like Microsoft Teams. Employees are often trained to trust IT support, making it easier for attackers to pose as legitimate support personnel. The combination of technical expertise and social engineering skills enables threat actors to bypass organizational defenses and execute their attacks effectively.

Additionally, the use of email bombing creates a sense of urgency and confusion, which can distract employees and lower their guard. By overwhelming the victim’s inbox, attackers ensure their subsequent communication appears more credible and urgent.

Key Recommendations for Organizations

As ransomware gangs continue to evolve their tactics, organizations must take proactive measures to mitigate the risk of these attacks:

Restrict External Access on Microsoft Teams: Configure Teams settings to block messages and calls from external domains. Limiting interactions with unknown users reduces the attack surface.

Disable Quick Assist in Critical Environments: Removing access to remote assistance tools can reduce the risk of hands-on-keyboard attacks. Consider alternative solutions for legitimate remote support needs.

Implement Email Security Measures: Deploy advanced spam filters to detect and block email bombing campaigns. Regularly update these filters to adapt to emerging threats.

Educate Employees: Conduct regular security awareness training to help employees identify phishing attempts and suspicious requests. Emphasize the importance of verifying the identity of IT support personnel before granting access.

Monitor Network Traffic: Use endpoint detection and response (EDR) solutions to identify anomalies and malicious activity in real-time. Invest in tools that provide visibility into lateral movement within the network.

Conduct Regular Security Audits: Periodic assessments of security configurations and policies can help identify vulnerabilities and ensure compliance with best practices.

Conclusion

The adoption of sophisticated phishing techniques by ransomware gangs highlights the importance of robust cybersecurity measures. By exploiting Microsoft Teams’ default settings and leveraging tools like Quick Assist, attackers can infiltrate networks with alarming ease. Organizations must remain vigilant, update their security configurations, and educate their employees to counteract these evolving threats effectively. As the threat landscape continues to evolve, staying informed and proactive is crucial for minimizing the risk of falling victim to ransomware attacks. Implementing strong security policies and fostering a culture of cybersecurity awareness can go a long way in protecting against these sophisticated threats.