Full Report
A researcher at Sophos told CyberScoop that the company observed these tactics being used against multiple individuals and at least 15 organizations. The post Ransomware groups pose as fake tech support over Teams appeared first on CyberScoop.
Analysis Summary
# Incident Report: Multi-Vector M365/Teams Ransomware Campaigns
## Executive Summary
Sophos researchers tracked at least two distinct ransomware campaigns active between November and December 2024 that leveraged social engineering through email bombing and Microsoft Teams to gain initial access. Attackers targeted smaller organizations that recently migrated to the cloud, eventually leading to credential compromise, disabling security measures, and lateral movement within the network, although most observed attempts were blocked before full deployment. The incident highlights significant risks associated with default configurations in Microsoft 365 and a lack of employee awareness regarding external social engineering attempts via internal communication platforms.
## Incident Details
- **Discovery Date:** Tuesday (Date of Sophos research publication)
- **Incident Date:** November - December 2024
- **Affected Organization:** At least 15 organizations observed, most were blocked before compromise.
- **Sector:** Multiple sectors, particularly small and mid-sized businesses (SMBs) utilizing cloud infrastructure.
- **Geography:** Not explicitly disclosed, but targeting organizations operating in the cloud environment.
## Timeline of Events
### Initial Access
- **Date/Time:** November - December 2024 (Ongoing activity tracked)
- **Vector:** Email Bombing and Vishing/Social Engineering via Microsoft Teams.
- **Details:**
1. **Email Bombing:** Targets were inundated with an overwhelming volume of spam emails (up to 3,000 in 45 minutes) to create urgency and prompt the victim to contact IT support.
2. **Teams Contact:** Attackers, using an external account posing as IT support or a "Help Desk Manager," messaged the victim through Microsoft Teams.
3. **Remote Session:** The attacker convinced the victim to grant remote screen control via Teams or Microsoft Quick Assist under the guise of providing assistance.
### Lateral Movement
- **Date/Time:** Post initial compromise.
- **Details:** Once a command and control channel was established via the remote session, attackers used the target's credentials to disable MFA and AV protections, connect to other hosts, and move laterally across the network.
### Data Exfiltration/Impact
- **Details:** The ultimate goal was ransomware deployment. Compromised credentials were used to access external Sharepoint files and deploy malware.
### Detection & Response
- **Details:** Sophos MDR observed the activity across multiple clusters. In most observed cases, compromised devices were blocked before the attackers could deploy malware successfully.
## Attack Methodology
| MITRE ATT&CK Phase | Technique Used |
| :--- | :--- |
| **Initial Access** | **T1566.002 (Phishing: Spearphishing Link)** via massive email bombing; **T1566.001 (Phishing: Spearphishing Attachment)** or **T1598 (Phishing for Information)** via impersonation on Teams. |
| **Persistence** | Not explicitly detailed, but maintaining C2 via compromised session. |
| **Privilege Escalation** | Not explicitly detailed, but gaining access via user interaction and remote control. |
| **Defense Evasion** | Disabling Antivirus protections post-access. |
| **Credential Access** | Utilizing compromised user credentials obtained during the remote session. |
| **Discovery** | Connecting to other hosts on the network post-initial compromise. |
| **Lateral Movement** | Connecting to other hosts using compromised credentials. |
| **Collection** | Accessing external Sharepoint files to stage data or deployment files. |
| **Exfiltration** | Implied: Ransomware deployment and data theft capability utilizing stolen credentials. |
| **Impact** | Deployment of malware (Ransomware). |
## Impact Assessment
- **Financial:** Estimated costs are not disclosed, but incidents involve potential recovery costs, downtime, and ransom payments.
- **Data Breach:** Potential for theft of data accessible via the compromised user context and external Sharepoint files.
- **Operational:** Disruption due to system compromise and ransomware deployment, although most observed incidents were contained before full compromise.
- **Reputational:** Potential reputational damage, particularly for smaller organizations trusting in platform security.
## Indicators of Compromise
*(Note: Specific IoCs were not provided in the article and are deliberately omitted/defanged per instructions.)*
- **Network indicators:** [Defanged IP/Domain related to C2 infrastructure implied]
- **File indicators:** [Malware hashes or filenames not provided]
- **Behavioral indicators:** High volume of incoming emails (spam bombing), Inbound Microsoft Teams messages from external accounts impersonating internal IT, Authorization requests for remote control sessions (Teams/Quick Assist) following suspicious contact.
## Response Actions
- **Containment measures:** For the observed successful blocks, this included stopping malware deployment before execution on targeted devices.
- **Eradication steps:** Unknown specific steps taken by victims, but sophisticated eradication would likely involve resetting compromised credentials and rebuilding affected hosts.
- **Recovery actions:** Not specified, but would involve restoring systems and validating M365/Azure security configurations.
## Lessons Learned
- **Default Configurations are Risky:** Default settings in Microsoft Teams often allow external actors to send messages, creating a vulnerability heavily exploited by threat actors.
- **Employee Awareness Gap:** Standard anti-phishing training often fails to cover social engineering delivered via modern internal communication tools (Teams) or how to verify the identity of supposed IT support staff contacting employees for assistance.
- **Targeting Cloud Adoption:** Cybercriminals are actively targeting SMBs that rapidly migrated to Office 365 and Azure, often without implementing custom security configurations.
## Recommendations
- Scrutinize and restrict default configurations in Microsoft Teams to limit or log communications from external users.
- Implement multi-factor authentication rigorously and ensure MFA cannot be easily disabled by compromised user accounts.
- Update employee security awareness training to specifically address social engineering attempts via internal platforms (Teams) where actors impersonate IT support staff, including procedures for verifying identity before granting remote access.
- Employees should know the names/emails of their established IT support staff to vet inbound requests.
- Employ threat detection services capable of monitoring command and control activity initiated through remote desktop protocols utilized over M365 solutions.