Threat actors abusing Microsoft Teams in ransomware attacks

Sophos warned that threat actors are abusing Microsoft Teams to pose as tech support personnel to gain initial access to victim organizations with the goal of stealing data and deploying ransomware.

In a report published Tuesday, Sophos detailed ongoing threat campaigns tied to two separate actors it tracks as STAC5143 and STAC5777. Both groups are abusing Microsoft Office 365 services, including Teams and Outlook, to gain access to victim organizations. Sophos revealed it observed more than 15 incidents in the past three months, and half of them occurred in the past two weeks.

During attacks, Sophos discovered common tactics leveraged by both groups, including "email bombing," vishing and using Microsoft remote control tools. Sophos said it "believes with high confidence" that the groups' goal is to steal data or deploy ransomware against the victim organization.

"Both threat actors operated their own Microsoft Office 365 service tenants as part of their attacks and took advantage of a default Microsoft Teams configuration that permits users on external domains to initiate chats or meetings with internal users," Sophos researchers wrote in the report.

Sophos researchers observed both groups overwhelming Outlook mailboxes of a few targeted individuals working at the victim organization to "create a sense of urgency." Additionally, STAC5143 and STAC5777 abused Teams by using vishing or even video calls to targeted employees posing as tech support for their organization.

"Using Microsoft remote control tools -- either Quick Assist or directly through Teams screen sharing -- to take control of the targeted individual's computer and install malware," the report said.

While both groups abused the same services, their techniques differed. During the STAC5143 campaign, Sophos observed that targeted victims received a Teams call made from outside the organization from an account named "Help Desk Manager." Sophos explained how the tactic appeared legitimate.

"As the organization used a managed service provider for IT services, this did not set off red flags with the employee who accepted the video call," the report said. "During the call, the threat actor instructed the employee to allow a remote screen control session through Teams. Through this remote-control session that the attacker was able to open a command shell and drop files and execute malware, deploying them from an external SharePoint file store."

In the case of the STAC5777, the threat actor used email bombing before sending a Microsoft Teams message posing as the company's internal IT team to trick targeted victims into believing there was a spam issue. The seemingly legitimate Teams message requested a call to resolve the issue. "But unlike STAC5143 incidents we've observed, STAC5777 activity relied much more on "hands-on-keyboard" actions and scripted commands launched by the threat actors directly than STAC5143," the report said.

During campaigns, Sophos also observed the use of the PowerShell command to maintain persistence through a reboot, credential gathering and exfiltration. Threat actors also used evasion techniques.

"In one incident, Sophos MDR observed the threat actor using the backdoor to uninstall local multifactor authentication integration on the target device," the report said. "In another, the threat actor unsuccessfully attempted to uninstall the Sophos Endpoint Agent -- an action blocked by Sophos' tamper protection."