Ransomware attackers are using a tactic called “vishing” to target organizations, posing as tech support and tricking employees into allowing remote access to their systems. The attackers send large numbers of spam messages to the employee’s email inbox, followed by a call from “tech support” via Microsoft Teams, asking them to allow remote access to solve a problem. However, this is just a ruse to gain access to the system.
The attackers have been successful in the past three months, with 15 incidents observed by Sophos MDR. They are using email bombing and posing as tech support to deliver ransomware to organizations. The tactic is not new, but Sophos’ report provides insight into why it succeeds: the employees are often primed for social engineering attacks, having accepted remote access requests from legitimate sources in the past.
The attackers have been linked to two separate threat groups, STAC5143 and STAC5777. They operate their own Microsoft 365 instances and use email bombing to prime target employees to accept messages and calls from “tech support” via Teams. The groups’ modus operandi involves tricking targets into allowing remote control sessions through Teams, using this access to open a command shell and execute malware.
One group uses the access to deploy Black Basta ransomware, while another instructs target employees to download Microsoft’s Quick Assist remote access tool. The attackers use RDP and Windows Remote Management to access other computers on the targeted network. Sophos advises cybersecurity defenders to take precautions such as limiting outside organizations that can reach out to employees via M365, setting up policies for remote access applications, and monitoring potentially malicious inbound Teams or Outlook traffic.
Source: https://www.helpnetsecurity.com/2025/01/21/ransomware-attackers-are-vishing-organizations-via-microsoft-teams-email-bombing