Full Report
Researchers at Sophos say they have seen more than 15 incidents in which two separate groups used Microsoft Office 365’s default service settings to socially engineer their way onto a victim’s system.
Analysis Summary
# Incident Report: Microsoft Teams Social Engineering Leading to Ransomware Deployment
## Executive Summary
Russian-linked cybercriminals are exploiting default Microsoft Teams settings to conduct sophisticated social engineering attacks, posing as IT support staff. Attackers initiate contact, often after sending a high volume of distracting emails, and trick employees into granting remote access (via QuickAssist or Teams screen share) to deploy malware, including ransomware. Sophos observed over 15 such incidents, managing to contain most, though one non-managed endpoint experienced data exfiltration before ransomware execution.
## Incident Details
- Discovery Date: Not explicitly stated, but reported by Sophos on a Thursday.
- Incident Date: Occurred recently, with one case noted on U.S. Election Day.
- Affected Organization: Multiple organizations targeted (Sophos saw >15 incidents).
- Sector: Not explicitly disclosed, likely general corporate sector.
- Geography: Implied global reach, with one observed remote IP address originating in Russia.
## Timeline of Events
### Initial Access
- Date/Time: Unspecified leading up to detection.
- Vector: Social Engineering via Microsoft Teams.
- Details: Attackers first sent a high volume of emails to distract the victim. They then initiated a direct Teams call (voice or video) impersonating IT help desk staff, leveraging the trust associated with calls from external, purportedly legitimate support providers.
### Lateral Movement
- Details: Limited information provided on extensive lateral movement, but access was obtained via remote desktop tools for direct "hands-on-keyboard" actions and scripted command execution. One case involved dropping a Java Archive (JAR) and a .zip archive containing Python code.
### Data Exfiltration/Impact
- Data Exfiltration: Observed in at least one case where ransomware failed to execute on a non-managed endpoint.
- Impact: Primary goal was to install ransomware networks.
### Detection & Response
- Detection: Detected by Sophos X-Ops while researching separate BeaverTail cases.
- Response Actions: Sophos was able to protect the majority of the over 15 incidents, preventing full compromise for most customers under Managed Detection and Response (MDR).
## Attack Methodology
- Initial Access: Social engineering via bulk emails followed by direct Microsoft Teams calls impersonating IT support. Exploited default Teams configuration allowing external chats/meetings.
- Persistence: Not explicitly detailed, but implied through the successful execution of malware/ransomware payload.
- Privilege Escalation: Not explicitly detailed.
- Defense Evasion: Used legitimate tools (Microsoft QuickAssist or Teams screen share) to gain authorized remote access, bypassing traditional security alerts.
- Credential Access: Not explicitly detailed.
- Discovery: QuickAssist or direct screen sharing was used to gain visibility and initiate remote commands.
- Lateral Movement: In some cases involved hands-on-keyboard actions and scripted commands similar to the Storm-1811 playbook.
- Collection: Data gathering occurred after remote access was established.
- Exfiltration: Confirmed in one instance prior to ransomware execution.
- Impact: Deployment of ransomware, or attempted deployment.
## Impact Assessment
- Financial: Unknown, but costs associated with potential ransomware negotiation/recovery or incident response are implied.
- Data Breach: Data exfiltration confirmed in one instance affecting an endpoint customer; type/volume unknown.
- Operational: Potential for widespread network disruption if ransomware successfully deployed.
- Reputational: Potential reputational damage due to social engineering failure and subsequent breach.
## Indicators of Compromise
- Network Indicators: Remote IP addresses originating from Russia (defanged for reporting purposes: `[Russian IP Range Placeholder]`).
- File Indicators: Java Archive (JAR), .zip archive containing Python code with obfuscation methods linked to FIN7 activity.
- Behavioral Indicators: High volume of incoming emails preceding a targeted Teams call; employees willingly granting remote control via QuickAssist or Teams screen share under the guise of IT support.
## Response Actions
- Containment: Sophos was able to protect the majority of targeted customers.
- Eradication: Not detailed, but implied necessary steps taken for affected endpoints.
- Recovery: Not detailed.
## Lessons Learned
- The default configuration of Microsoft Teams that permits unrestricted chat/meetings from external domains is a critical vulnerability when paired with social engineering.
- Victims under high stress (e.g., mass emails) or those who outsource IT support are highly susceptible to these impersonation techniques.
- Two distinct threat groups (one overlapping with Storm-1811, the other possibly linked to FIN7) are actively using this sophisticated tactic.
## Recommendations
- Organizations must review and restrict Microsoft Teams service provisions to limit calls originating from external organizations, allowing them only for explicitly trusted business partners.
- Implement strict policies governing remote access applications, ensuring that tools like QuickAssist are restricted or used only under validated procedures.
- Enhance security awareness training specifically targeting urgent, unexpected IT support requests received via collaboration platforms like Teams.