Sophos X-Ops’ Managed Detection and Response (MDR) has been actively involved in responding to incidents related to two distinct groups of threat actors who have exploited the functionality of Microsoft’s Office 365 platform to infiltrate targeted organizations with the likely objectives of data theft and ransomware deployment.
The investigations conducted by Sophos MDR into these two separate clusters of malicious activity were initiated following incidents reported by customers in November and December 2024. These threats are being monitored under the labels STAC5143 and STAC5777. Both threat actors utilized their own Microsoft Office 365 service tenants in their attacks, taking advantage of a default Microsoft Teams configuration that allowed external domain users to initiate communication with internal users.
STAC5777 has been identified as overlapping with a threat group previously identified by Microsoft as Storm-1811, while STAC5143 is a newly discovered threat cluster utilizing tactics similar to those of Storm-1811, with potential links to the threat actor groups FIN7, Sangria Tempest, and Carbon Spider.
For the past three months, Sophos MDR has observed over 15 incidents involving these threat actors, with half of them occurring in the past two weeks. The common tactics employed by these threat actors include email-bombing to overwhelm Outlook mailboxes, posing as tech support through Teams messages and calls, and using Microsoft remote control tools to install malware on targeted computers.
The report delves into the specific tactics employed by these threat clusters, which follow a similar attack pattern involving email bombing, social engineering through fake tech support, exploitation of legitimate services through Microsoft’s Office 365 platform, and the deployment of malware for command and control and data exfiltration purposes. Sophos believes with high confidence that these activities are part of ransomware and data theft extortion efforts.
STAC5143 utilized techniques involving Teams built-in remote control, Java Archive (JAR) exploitation, and the extraction of Python-based backdoors from remote SharePoint links, utilizing tools and techniques associated with FIN7.
On the other hand, STAC5777 employed Microsoft Quick Assist, hands-on-keyboard configuration changes, the deployment of a legitimate Microsoft updater with malicious DLLs for persistence and credential theft, as well as the deployment of ransomware (Black Basta). The threat actor behind STAC5777 exhibited highly active behavior and overlaps with the previously identified threat actor group Storm-1811.
The detailed analysis of the attack chain of STAC5143 revealed a multi-stage process involving email bombing, social engineering through Teams calls, exploitation of Java-based backdoors, and the deployment of Python-based malware payloads for command and control and data exfiltration. The malware analysis highlighted the obfuscation of Python code, incorporating tactics seen in previous FIN7-related attacks.
STAC5777’s attack chain involved a more hands-on-keyboard approach, with threat actors guiding users to install Microsoft Quick Assist for remote access, initiating remote control sessions, and deploying malicious payloads through legitimate processes like OneDriveStandaloneUpdater. The threat actor exhibited persistence tactics, defense evasion, credential gathering, lateral movement, and attempted data exfiltration and ransomware execution.
Sophos has deployed specific detections for the malware used in these campaigns, and organizations are advised to take proactive steps to prevent such attacks by restricting external access to Teams calls, limiting remote access applications, and enhancing employee awareness of social engineering tactics. The full list of indicators of compromise for these campaigns is available on Sophos’s GitHub repository.