Cybercriminals Exploiting Microsoft Teams and Email Bombing in New Ransomware Tactics

Cybercriminals are leveraging Microsoft Teams, email bombings, and remote access tools to orchestrate sophisticated ransomware campaigns, according to recent findings by Sophos. These tactics exploit workplace communication tools and employee trust, posing significant risks to businesses of all sizes.

The Persistent Role of Social Engineering in Cyber-Extortions

Sophos researchers tracked two ransomware groups using innovative methods to bypass conventional security measures.

One tactic involves “email bombing”, where attackers overwhelm inboxes with spam emails, distracting victims and burying legitimate warnings about malicious activity. Simultaneously, attackers impersonate IT support staff via Microsoft Teams, using the platform’s built-in features to gain access to victims’ systems.

Sean Gallagher, Principal Threat Researcher at Sophos, explains the growing threat as a sustaining phenomenon, despite the exploitation of remote management tools and abuse of legitimate services themselves are not old news.

“Microsoft Teams’ default configuration allows individuals outside an organisation to chat with or call internal staff at a company, and attackers are abusing this feature,” he said.

“Since many companies use managed service providers for their IT support, receiving a Teams call from an unknown person that’s labelled as ‘Help Desk Manager’ may not ring alarm bells, especially if it’s combined with an overwhelming amount of spam email.”

How It Happened in the First Place

In one campaign observed by the Abingdon-based cybersecurity firm, attackers gained remote access to systems by manipulating victims into sharing their screen or granting control through Teams.

With remote capabilities, they installed malware, disabled security tools, and even deployed ransomware. This attack also highlighted the misuse of Microsoft’s Quick Assist, a tool intended for legitimate remote troubleshooting.

The default settings in Microsoft Teams, which permit external users to contact internal employees without prior authorisation, have emerged as a key vulnerability. Sophos has urged organisations to review their Teams configurations, restrict external communications, and disable remote access tools that are not actively used within their networks.

Sophos highlights that the continued rise in managed detection and response (MDR) and incident response (IR) cases linked to these tactics is a cause for concern. With 15 incidents reported in the past three months, half occurring in the last two weeks, organisations using Microsoft 365 are urged to review configurations, block external messages where possible, and disable unused remote access tools.

Reported Patterns of the Trend

The firm identified two distinct threat groups behind these campaigns. One group, labelled STAC5143, mimicked tactics commonly associate with the FIN7 cybercriminal gang, while another, STAC5777, showed links to the Storm-1811 group.

Both groups exploited Microsoft Teams to communicate with and manipulate their targets, planting malware and performing reconnaissance before deploying ransomware.

Keep Your Eyes Sharp and Always Remain Caution

The findings underscore the importance of employee awareness and robust organisational policies.

As reported by Kaspersky, 60% of companies reported incidents where attackers executed malicious code or attempted to control compromised systems throughout 2024. Sophos’s report highlights that despite being a longstanding issue, these cases remain highly relevant and continue to pose significant threats.

Therefore, providing comprehensive training to employees in recognising social engineering tactics must remain a priority, and companies are advised to enforce multi-factor authentication and stricter remote management tool access to avoid succumbing into this extortion.