IT Brief India - Technology news for CIOs & IT decision-makers
India
Guides
#
artificial intelligence
#
digital transformation
#
disaster recovery
#
hybrid & remote work
#
internet of things
Search
Story image
#
UC
#
Ransomware
#
Phishing

Sophos reveals new Microsoft Teams-related threat campaigns

Tue, 28th Jan 2025
Author image
By Shannon Williams, Journalist

Sophos X-Ops has identified two active threat campaigns involving cybercriminals who exploit Microsoft Office 365 as well as remote management tools to steal data and deploy ransomware.

According to Sophos X-Ops, the campaigns are reportedly active, with Sophos Managed Detection and Response (MDR) having observed more than 15 incidents of these tactics within the past three months, and a significant portion occurring in the past two weeks.

Sophos MDR began investigating these two separate clusters of activity in response to customer incidents in November and December 2024. 

The two threat groups employ similar methods, which include targeting specific employees within companies that utilise Microsoft Teams. Sophos X-Ops says a known tactic involves sending the targeted employees thousands of spam emails in a very short time span. In one instance, more than 3,000 emails were sent in less than an hour, a technique recognised as email-bombing.

Following the barrage of spam emails, the attackers then proceed with Microsoft Teams voice and video calls, presenting themselves as assistance to resolve the spam issue. By leveraging Microsoft's Quick Assist or screen sharing features in Teams, the cybercriminals then gain control of the employees' computers, enabling them to deploy ransomware, Sophos X-Ops says.

Sophos X-Ops has found connections between one of the groups and the Russian cybercriminals known as Fin7, while the other group is linked to the Russian group Storm-1811. In response, Sophos is sharing this intelligence to assist organisations in defending against these active campaigns and to increase awareness of their impact.

Sean Gallagher, Principal Threat Researcher at Sophos, commented: "While exploitation of remote management tools and abuse of legitimate services are themselves not wholly new, we are seeing more and more threat groups adopt these tactics to target companies of all sizes.

"Microsoft Teams' default configuration allows individuals outside an organization to chat with or call internal staff at a company, and attackers are abusing this feature," he says.

"Since many companies use managed service providers for their IT support, receiving a Teams call from an unknown person that's labeled as 'Help Desk Manager' may not ring alarm bells, especially if it's combined with an overwhelming amount of spam email.

"As Sophos continues to see new MDR and IR cases associated with these tactics, we want companies using Microsoft 0365 to be on high alert," Gallagher says.

"They should check company-wide configurations, block outside account messages if possible, and block remote access tools and remote machine management tools not regularly used by their organisations."

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Ransomware in 2024: 75 groups with median demand USD $200k
Akamai uncovers critical Kubernetes flaw for Windows nodes
Rockwell Automation releases 2024 sustainability report
CISOs gain greater influence in corporate boardrooms
Expert insights on safeguarding data in a digital world
Top stories
LG acquires majority of Bear Robotics to boost AI robots
Data Privacy Day highlights urgent need for new strategies
Atomicwork secures USD $25m to enhance AI IT platform
Exclusive: Tanium’s Matt Quinn on automating endpoint management
Top mobile messaging disruptors unveiled for 2025