Ready to Simplify Trust Management? Join Free Webinar to See DigiCert ONE in Action

Latest News on Microsoft Teams Phishing Attacks and Ransomware Threats

Overview of the Threats

Recent reports from cybersecurity firms such as Sophos and other security experts have highlighted a surge in sophisticated phishing and ransomware attacks leveraging Microsoft Teams and other Microsoft 365 services.

Attack Vectors and Tactics

Email Bombing and Teams Vishing

Two ransomware groups, tracked as STAC5143 and STAC5777, have been identified as using a combination of email bombing and social engineering via Microsoft Teams to gain access to targeted organizations. Here’s how the attacks unfold:

• Email Bombing: The attackers flood the target employee’s email inbox with a large volume of spam messages in a short period, creating a sense of urgency and confusion135.
• Teams Vishing: Shortly after the email bombing, the attackers contact the employee via Microsoft Teams, posing as tech support or a "Help Desk Manager" from an external Microsoft 365 tenant. They request remote access to the employee’s device to resolve the perceived issue135.

Technical Details of the Attacks

STAC5143

• This group uses Python malware and Java archive (JAR) files, which are executed from an external SharePoint file store. They instruct the employee to install Microsoft Quick Assist for remote access, allowing the attackers to open a command shell and deploy malware135.
• The tactics and techniques of STAC5143 show some overlap with those of FIN7 (also known as Sangria Tempest or Carbon Spider), although they target smaller organizations in different sectors15.

STAC5777

• This group is linked to techniques similar to those used by Storm-1811. They use more "hands-on-keyboard" activity and scripted commands. The attackers instruct the employee to download Microsoft Quick Assist, then use the access to make configuration changes, deploy a legitimate Microsoft updater with a malicious side-loading DLL, and access other computers on the network using RDP and Windows Remote Management. In one case, they deployed Black Basta ransomware135.

Impact and Extortion Methods

• Once inside the network, these attackers exfiltrate sensitive data and deploy ransomware. They use legitimate tools and resources already present on the victim's network to avoid detection, a technique known as "living off the land"2.
• The ransomware attacks often involve data theft extortion, where the attackers threaten to publish stolen data if a ransom is not paid. This includes wiping volume shadow copies and deleting backup files to make recovery more difficult2.

Mitigation and Prevention

To protect against these threats, organizations are advised to:

• Restrict Microsoft Teams Configuration: Configure Microsoft 365 to restrict Teams calls from outside organizations or limit them to trusted business partners135.
• Limit Remote Access Applications: Restrict the installation of remote access applications to only those approved by the organization’s tech support team135.
• Monitor Inbound Traffic: Monitor for potentially malicious inbound Teams and Outlook traffic135.
• Employee Awareness: Update employee awareness programs to include training on email bombing and Teams vishing tactics135.

Additional Context

Medusa Ransomware

While not directly related to the specific Microsoft Teams attacks, Medusa ransomware, another prominent ransomware-as-a-service (RaaS) platform, also exploits vulnerabilities and uses initial access brokers to gain unauthorized access to networks. Medusa targets various sectors, including high tech, manufacturing, and education, and is known for its aggressive extortion tactics, including publishing stolen data on dark web leak sites and public Telegram channels2.

Broader Cybersecurity Landscape

The use of advanced social engineering tactics, including email bombing and vishing, is part of a broader trend in ransomware attacks. These attacks are increasingly sophisticated, often involving the analysis of stolen data to increase pressure on victims and the use of AI tools to enhance the efficiency of the attacks4.

By understanding these tactics and implementing the recommended mitigation strategies, organizations can better protect themselves against these evolving cybersecurity threats.