Hackers Impersonate Tech Support on Microsoft Teams to Deploy Ransomware
Sophos has discovered ransomware campaigns where hackers exploited Microsoft Teams and Office 365 services.
Published: Jan 23, 2025
Key Takeaways:
- Threat actors posed as tech support personnel to exploit Microsoft Teams.
- The attackers used various tactics to gain unauthorized access to systems to deploy ransomware.
- Sophos advises organizations to restrict external Teams calls.
Sophos has raised an alert about a wave of ransomware attacks where threat actors manipulated Microsoft Teams by impersonating tech support personnel. These attackers used this tactic to gain initial access to systems, steal sensitive data, and deploy ransomware.
According to a report published on Tuesday, Sophos linked these attacks to two threat actors identified as STAC5143 and STAC5777. Microsoft initiated investigations after customers reported incidents in November and December. These groups have been leveraging Office 365 services, including Microsoft Teams and Outlook, to infiltrate and gain unauthorized access to organizations. Sophos has recorded over 15 incidents of this kind in the past three months.
How does the tech support scam work?
According to Sophos, threat actors use email bombing and Microsoft remote control tools, such as Quick Assist and Microsoft Teams screen sharing. They first gain control of the victim’s device and install malware. The attackers then use a compromised Office 365 account to send messages or make calls through Microsoft Teams.
“Both threat actors operated their own Microsoft Office 365 service tenants as part of their attacks and took advantage of a default Microsoft Teams configuration that permits users on external domains to initiate chats or meetings with internal users,” Sophos researchers explained.
The hacking groups also flood the Outlook mailboxes of select employees at the target organization with large volumes of spam emails. This tactic is designed to overwhelm recipients and create a sense of urgency among employees.
STAC5143 conducted attacks by making Microsoft Teams calls from an account labeled “Help Desk Manager,” tricking employees into granting remote screen control to deploy malware. Meanwhile, STAC5777 relied on email bombing to overwhelm targets and then requested a Teams call to “resolve” the spam issue. Sophos also noted that both threat groups utilized PowerShell commands to maintain control over compromised systems.
Sophos has deployed detections to detect malware used in these cyberattack campaigns. The company has urged organizations to take additional steps to enhance their security. These include configuring Microsoft 365 services to restrict external Teams calls and raising employee awareness about social engineering attacks.