Ransomware groups are adopting advanced techniques that combine email bombing with fake Microsoft Teams IT support calls to infiltrate company networks.
Cybersecurity firm Sophos has uncovered multiple campaigns where attackers overwhelmed targets with thousands of spam emails, followed by Teams calls from adversary-controlled accounts impersonating IT support. Exploiting default Microsoft Teams settings that allow external domains to initiate communication, the attackers trick employees into granting remote control access, enabling the deployment of malware.
In one instance, attackers used malicious Java archive (JAR) files and Python scripts hosted on external SharePoint links. These files executed PowerShell commands to download legitimate applications like ProtonVPN, which were used to side-load malicious DLL files. The attackers established encrypted command-and-control channels to maintain remote access. Tools such as RPivot, a penetration testing utility, were employed for proxy tunneling and further malicious activity. While these tactics share similarities with campaigns linked to FIN7, the public availability of the tools complicates attribution.
Another campaign revealed even more advanced methods. Attackers tricked victims into installing Microsoft Quick Assist, providing them with direct control over targeted systems. Malware hosted on Azure Blob Storage was side-loaded into legitimate processes, enabling the attackers to log keystrokes, harvest credentials, and scan networks for potential lateral movement.
Sophos observed these attackers attempting to deploy Black Basta ransomware, indicating a connection to the notorious ransomware group. The attackers also accessed files with “password” in their names and searched for Remote Desktop Protocol (RDP) credentials to facilitate further exploitation.
