Two separate threat actors have been observed abusing Microsoft 365 services and exploiting default Microsoft Teams configurations to initiate conversations with internal users, Sophos warns.
Operating Microsoft 365 tenants, the two hacking groups launched at least 15 attacks over the past three months, likely aiming to compromise organizations for ransomware deployment and data theft.
Tracked as STAC5143 and STAC5777, the attackers leveraged a default Microsoft Teams configuration that allowed them to initiate chats and meetings with internal users, posing as tech support and taking control of the target’s machine using legitimate Microsoft tools.
The first STAC5143 attack was observed in November 2024 and it started with a large volume of spam messages that was immediately followed by a Teams call from the attackers, from an account named ‘Help Desk Manager’.
During the call, the attackers requested remote screen control through Teams, which allowed them to open a command shell, drop files on the system, and execute malware.
One hour after the attackers ran PowerShell commands to fetch a ProtonVPN executable and a malicious DLL for sideloading, a Python payload was deployed, leading to a set of backdoors being installed, and several commands for user and network discovery were run.
Techniques and tools used by STAC5143, such as the Python malware, are like those of FIN7/Sangria Tempest, but the attack chain and the targeted organizations differ from FIN7’s, Sophos notes. Additionally, the threat actor appears to be copying the Storm-1811 (aka Black Basta) playbook.
STAC5777 too, Sophos says, bombarded employees at the targeted organizations with a large volume of spam messages and then contacted them via Teams, pretending to be a member of the internal IT team.
“The Teams message—from the adversaries responsible for the spam messages— requested a Teams call to resolve the spam issues. But unlike the STAC5143 incidents we’ve observed, STAC5777 activity relied much more on ‘hands-on-keyboard’ actions,” Sophos says.
In all the documented incidents, the threat actor instructed the employee during the Team call to install Microsoft Quick Assist, which allowed the attackers to establish a remote access session and take control of the victim’s machine and download a malicious payload using a web browser.
The attackers dropped a legitimate Microsoft executable, unsigned DLLs from the OpenSSL Toolkit, a legitimate Microsoft library, a DAT file, and a malicious DLL designed to collect system and configuration information, user credentials, and more.
STAC5777 then performed reconnaissance operations and used collected user credentials to move laterally on the network. The attackers were also seen accessing files locally, viewing configuration files to extract credentials, and accessing a network diagram for one targeted organization. In one instance, the threat actor attempted to execute the Black Basta ransomware.
“Organizations should raise employee awareness of these types of tactics—these aren’t the types of things that are usually covered in anti-phishing training. Employees should be aware of who their actual technical support team is and be mindful of tactics intended to create a sense of urgency that these sorts of social-engineering driven attacks depend upon,” Sophos notes.
Related: Vulnerable Jupyter Servers Targeted for Sports Piracy
Related: Known Brand, Government Domains Hijacked via Sitting Ducks Attacks
Related: Google Says Threat Actors Using New Code Signing Tricks to Evade Detection
Related: Social Distortion: The Threat of Fear, Uncertainty and Deception in Creating Security Risk
