Microsoft Teams abused in Russian email bombing ransomware campaign

News
By
published

At least two groups are currently running email bombing attacks

Shutterstock.com / kanlaya wanon
(Image credit: Shutterstock)
  • Sophos' researchers said they saw two groups engaging in email bombing attacks
  • At least 15 organizations were targeted in the last three months
  • The goal is to steal sensitive data and deploy ransomware

At least two threat actor groups are running email bombing campaigns against numerous organizations in the west, trying to steal their data and deploy ransomware.

Cybersecurity researchers Sophox X-Ops have observed more than 15 such incidents in the past three months, with half occurring in the last two weeks, suggesting that the criminals are picking up pace.

Email bombing is not a new tactic. It revolves around “bombing” the victim with hundreds, if not thousands of emails in a very short timespan, before the attackers contact the victims pretending to be an IT admin or network support worker.

Russian hackers

The attackers reportedly reach out via Microsoft Teams, or similar online collaboration tools, and offer to solve the issue. If the victim takes the bait, the attackers would demand access to Quick Assist or Microsoft Teams screen sharing, to take control of their targets’ computers. Once they are granted access, the attackers would deploy ransomware, the researchers said.

While Sophos X-Ops did not attribute the attacks to specific groups with great confidence, it did say that it “uncovered links” between one of the threat actors and Fin7 - a known Russian financially-motivated hacking collective.

The second group is seemingly linked to Storm-1811, another financially motivated cybercriminal group. This collective is known for deploying Black Basta ransomware through sophisticated social engineering attacks, and were observed impersonating IT staff in the past.

For Sean Gallagher, principal threat researcher at Sophos, the key of the problem lies in the fact that Teams’ default configuration allows individuals outside an organization to chat with, or call, internal staff at a company.

“Since many companies use managed service providers for their IT support, receiving a Teams call from an unknown person that’s labeled as ‘Help Desk Manager’ may not ring alarm bells, especially if it’s combined with an overwhelming amount of spam email,” Gallagher said.

“As Sophos continues to see new MDR and IR cases associated with these tactics, we want companies using Microsoft 365 to be on high alert. They should check company-wide configurations, block outside account messages if possible, and block remote access tools and remote machine management tools not regularly used by their organizations.”

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.