Sophos X-Ops’ Managed Detection and Response (MDR) team has issued a warning about a concerning trend in ransomware attacks that have been utilizing email bombing techniques and impersonating tech support through Microsoft Office 365. These attacks, also known as vishing, have been attributed to two separate threat groups by the name of STAC5143 and STAC5777. Microsoft began investigating these threat groups following customer incidents that took place in November and December of 2024.
The tactics employed by these threat groups are alarming, with Sophos MDR reporting over 15 incidents involving these strategies in the past three months alone, half of which occurred within the last two weeks. The attackers utilize tools like Quick Assist or Teams screen sharing to gain control of a victim’s device and initiate the installation of malware. They then proceed to send Teams messages or make Teams calls from an Office 365 account under their control, posing as tech support. In addition, they flood Outlook mailboxes with large volumes of spam emails in a tactic known as email bombing.
According to the researchers at Sophos, there is a high level of confidence that both threat groups are part of ransomware and data theft extortion efforts. The types of ransomware deployed in these attacks include Black Basta and Python ransomware, with particular emphasis on the highly active nature of STAC5777.
While Sophos has implemented detections for the malicious software involved in these campaigns, they emphasize the importance of organizations taking proactive measures to safeguard against such attacks. Recommendations include configuring Microsoft 365 services to restrict Teams calls from external sources and educating employees about these sophisticated tactics, which may not be covered in standard anti-phishing training programs.
In an effort to assist organizations in identifying potential compromises related to these ransomware campaigns, Sophos has provided a list of indicators available on their GitHub repository. By taking these steps and remaining vigilant, businesses can enhance their cybersecurity posture and mitigate the risk of falling victim to these increasingly prevalent and damaging ransomware attacks.