Microsoft

Hackers Deliver Ransomware on Windows Via Microsoft Teams Voice Calls

Sophos X-Ops’ Managed Detection and Response (MDR) team has uncovered two highly active threat actor clusters exploiting Microsoft Office 365 to target organizations.

Identified as STAC5143 and STAC5777, these clusters use advanced social engineering tactics, such as email bombing, fake Microsoft Teams tech support calls, and misuse of Microsoft tools, like Quick Assist and Teams’ remote control functionality, to infiltrate networks.

With over 15 recorded incidents since November 2024, Sophos warns organizations of escalating risks tied to these campaigns.

STAC5143: Leveraging Teams and Java-Based Malware

STAC5143 has adopted a sophisticated approach that combines Teams’ remote desktop features with malicious Java and Python scripts.

Python code from an obfuscated copy of RPivot i

The attackers initiate their campaigns with email bombing, sending thousands of spam messages to overwhelm victims, followed by team calls impersonating IT support.

Once a victim grants remote access, STAC5143 deploys Java Archive (JAR) files to execute malicious Python-based backdoors obtained from external SharePoint links.

These backdoors, including obfuscated RPivot malware, provide the attackers with a SOCKS proxy for remote command execution and lateral movement across networks.

Sophos links this activity to tools and techniques previously associated with the FIN7 (Sangria Tempest) threat actor but notes divergences in victim profiles and targeting methods.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

STAC5777: Exploiting Quick Assist for Direct Device Compromise

STAC5777 employs Microsoft Quick Assist, guiding victims to install this remote access tool through Teams calls.

Once Quick Assist is active, attackers gain full control of the victim’s device, allowing for direct execution of malicious payloads.

The group also uses legitimate Microsoft executables, such as OneDriveStandaloneUpdater.exe, to side-load malicious DLLs (e.g., winhttp.dll) for persistence, data exfiltration, and command-and-control connections.

Sophos detected STAC5777 scanning networks for SMB, RDP, and WinRM hosts using compromised credentials, indicative of lateral movement.

In one case, the group attempted to deploy Black Basta ransomware, which Sophos blocked.

Both threat clusters rely heavily on social engineering and exploitation of Office 365’s default settings, such as allowing external Teams calls.

STAC5143 and STAC5777 have also adopted overlapping tactics, including:

  • Email bombing to create urgency and distraction.
  • Fake IT support calls via Teams to trick victims into granting remote control.
  • Malware delivery through legitimate Microsoft services, such as SharePoint and Quick Assist.
  • Persistent footholds using DLL side-loading, network discovery, and credential harvesting.

Sophos strongly recommends organizations proactively mitigate these threats by disabling external Teams communications unless necessary and restricting unauthorized applications like Quick Assist.

Organizations should integrate Office 365 with endpoint protection solutions to monitor for suspicious activities and raise employee awareness about these evolving tactics.

Enhanced training on identifying fake IT support requests and resisting urgency tactics is also essential.

Both STAC5143 and STAC5777 exemplify the increasing sophistication of ransomware and extortion-focused campaigns leveraging trusted platforms like Office 365.

Sophos’ analysis underscores the importance of robust endpoint protection, email security, and vigilant configuration management to detect and block these threats at early stages.

By adopting a layered defense strategy, organizations can better safeguard their systems from such adversarial campaigns. For Indicators of compromise refer here.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Hack The box “Ghost” Challenge Cracked – A Detailed Technical Exploit

Cybersecurity researcher "0xdf" has cracked the "Ghost" challenge on Hack The Box (HTB), a premier…

1 hour ago

Sec-Gemini v1 – Google’s New AI Model for Cybersecurity Threat Intelligence

Google has unveiled Sec-Gemini v1, an AI model designed to redefine cybersecurity operations by empowering…

2 hours ago

U.S. Secures Extradition of Rydox Cybercrime Marketplace Admins from Kosovo in Major International Operation

The United States has successfully extradited two Kosovo nationals, Ardit Kutleshi, 26, and Jetmir Kutleshi,…

7 hours ago

Ivanti Fully Patched Connect Secure RCE Vulnerability That Actively Exploited in the Wild

Ivanti has issued an urgent security advisory for CVE-2025-22457, a critical vulnerability impacting Ivanti Connect…

2 days ago

Beware! Weaponized Job Recruitment Emails Spreading BeaverTail and Tropidoor Malware

A concerning malware campaign was disclosed by the AhnLab Security Intelligence Center (ASEC), revealing how…

2 days ago

EncryptHub Ransomware Uncovered Through ChatGPT Use and OPSEC Failures

EncryptHub, a rapidly evolving cybercriminal entity, has come under intense scrutiny following revelations of operational…

2 days ago