Email Bombing, 'Vishing' Tactics Abound in Microsoft 365 AttacksEmail Bombing, 'Vishing' Tactics Abound in Microsoft 365 Attacks

Sophos noted more than 15 attacks have been reported during the past three months.

Kristina Beek, Associate Editor, Dark Reading

January 21, 2025

2 Min Read
Microsoft Teams app on a mobile phone
Source: True Images via Alamy Stock Photo

NEWS BRIEF

Sophos X-Ops' Managed Detection and Response (MDR) is warning of ransomware attacks using email bombing as well as imitating tech support, otherwise known as vishing, through Microsoft Office 365.

These attacks are tied to two separate threat groups, which Microsoft began investigating in response to customer incidents in November and December 2024. The threat groups are tracked as STAC5143 and STAC5777.

STAC5777 overlaps with a group previously identified by Microsoft as Storm-1811, while STAC5143 is using tactics from an old Storm-1811 playbook.

According to Sophos MDR, there have been more than 15 incidents involving these tactics in the past three months, half of them occurring just in the last two weeks.

These tactics include using Microsoft remote control tools like Quick Assist or Teams screen sharing. From there attackers take control of a victim's device and install malware, sending Teams messages or making Teams calls from a threat actor-controlled Office 365 impersonating tech support. They also send large volumes of spam emails to overwhelm Outlook mailboxes, a strategy known as email bombing.

"We believe with high confidence that both sets of adversarial activity are parts of ransomware and data theft extortion efforts," said the Sophos researchers in their report

The ransomware deployed by these two groups include Black Basta and Python ransomware; the researchers note that STAC5777 in particular is highly active.

Though Sophos has deployed detections for the malware included in these campaigns, it recommends organizations take further steps to prevent attacks, such as ensuring their Microsoft 365 services restrict Teams calls from outside organizations, as well as raise employee awareness of these tactics, which are not normally covered in anti-phishing trainings.

Sophos provided a list of indicators of compromise for these campaigns available for viewing on its GitHub repository.

Read more about:

News Briefs

About the Author

Kristina Beek, Associate Editor, Dark Reading

Kristina Beek, Associate Editor, Dark Reading

Skilled writer and editor covering cybersecurity for Dark Reading.

See more from Kristina Beek, Associate Editor, Dark Reading
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
Subscribe

You May Also Like

More Insights
Webinars
More Webinars

Editor's Choice

The letters "AI" in blue text with binary code running over top and in the background
Threat Intelligence
Employees Enter Sensitive Data Into GenAI Prompts Far Too OftenEmployees Enter Sensitive Data Into GenAI Prompts Far Too Often
byKristina Beek, Associate Editor, Dark Reading
Jan 17, 2025
5 Min Read
Icons for TikTok and REDnote displayed on mobile device screen
Threat Intelligence
Has the TikTok Ban Already Backfired on US Cybersecurity?Has the TikTok Ban Already Backfired on US Cybersecurity?
byBecky Bracken, Senior Editor, Dark Reading
Jan 17, 2025
5 Min Read
Biden meeting on cybersecurity with business leaders
Threat Intelligence
Biden's Cybersecurity EO Leaves Trump a Comprehensive Blueprint for DefenseBiden's Cyber EO Leaves Trump a Strong Blueprint for Defense
byBecky Bracken, Senior Editor, Dark Reading
Jan 16, 2025
7 Min Read
Reports
More Reports
Webinars
More Webinars
White Papers
More Whitepapers