Beware! Microsoft Teams Being Misused By Cybercriminals To Target Employees In Ransomware Campaign

Microsoft’s Office 365 (now Microsoft 365 Copilot) platform is being used by two distinct groups of cyber criminals to target employees in order to steal data and extract ransomware from companies, according to a report by cybersecurity company Sophos. These threat actors are using spam emails, sending Microsoft Teams messages and even making Teams calls to employees with the intention of taking over their devices to steal data and to make ransomware demands.

According to Sophos, these threat actors are using various tactics as part of this ransomware campaign, including: 

• Email-Bombing: Sending large numbers of spam emails (up to 3,000 in less than an hour) to select people in a company in order to overflow their Outlook mailboxes and instill a sense of urgency to act.

• Teams Messages And Calls: Threat actors are using an adversary-controlled Office 365 instance to send Teams messages and make Teams audio and video calls to employees while pretending to be their company’s tech support.

• Microsoft Remote Control Tools: Taking over the targeted person’s computer and installing malware via Microsoft remote control technologies, either Quick Assist or directly through Teams screen sharing.

As part of their attacks, the threat actors—identified as STAC5143 and STAC5777 by Sophos—used their own Microsoft Office 365 service tenants and exploited a built-in feature in Microsoft Teams that allows users on external domains to start meetings or conversations with internal users.

Both employ variations of the same attack pattern: email bombing and fake tech support to facilitate social engineering by distributing malware, taking advantage of trustworthy services via Microsoft Office 365 and attempting to use command and control and data exfiltration tools.

Sophos cited an event in which over 3,000 spam messages were received in a 45-minute period by an organisation. Thereafter, an employee received a Teams call from an account called “Help Desk Manager.” This did not raise any concerns with the employee who took the video call because the company hired a managed service provider for IT services.

During the call, the threat actor told the employee to permit a remote screen control session using Teams. The attacker was then able to launch a command shell, drop files, and run malware from an external SharePoint file store. 

Then Python malware payload was deployed and the name of network domain servers and their IP address were stolen. Additionally, system and operating system details, configuration information and user credentials were compromised.

The threat actors tried to extend access beyond the compromised system using the credentials of the targeted user, searching for domain access that could be raised to go to other hosts. Using domain credentials, they connected to the company’s VPN from outside the network. Lateral transfer was carried out at another organisation using Windows Remote Management.

Cyber criminals also tried to use the Black Basta ransomware in one instance, which—according to Sophos—was prevented by endpoint protection.