Hackers Deliver Ransomware on Windows Via Microsoft Teams Voice Calls

Sophos X-Ops’ Managed Detection and Response (MDR) team has uncovered two highly active threat actor clusters exploiting Microsoft Office 365 to target organizations.

Identified as STAC5143 and STAC5777, these clusters use advanced social engineering tactics, such as email bombing, fake Microsoft Teams tech support calls, and misuse of Microsoft tools, like Quick Assist and Teams’ remote control functionality, to infiltrate networks.

With over 15 recorded incidents since November 2024, Sophos warns organizations of escalating risks tied to these campaigns.

STAC5143: Leveraging Teams and Java-Based Malware

STAC5143 has adopted a sophisticated approach that combines Teams’ remote desktop features with malicious Java and Python scripts.

The attackers initiate their campaigns with email bombing, sending thousands of spam messages to overwhelm victims, followed by team calls impersonating IT support.

Once a victim grants remote access, STAC5143 deploys Java Archive (JAR) files to execute malicious Python-based backdoors obtained from external SharePoint links.

These backdoors, including obfuscated RPivot malware, provide the attackers with a SOCKS proxy for remote command execution and lateral movement across networks.

Sophos links this activity to tools and techniques previously associated with the FIN7 (Sangria Tempest) threat actor but notes divergences in victim profiles and targeting methods.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

STAC5777: Exploiting Quick Assist for Direct Device Compromise

STAC5777 employs Microsoft Quick Assist, guiding victims to install this remote access tool through Teams calls.

Once Quick Assist is active, attackers gain full control of the victim’s device, allowing for direct execution of malicious payloads.

The group also uses legitimate Microsoft executables, such as OneDriveStandaloneUpdater.exe, to side-load malicious DLLs (e.g., winhttp.dll) for persistence, data exfiltration, and command-and-control connections.

Sophos detected STAC5777 scanning networks for SMB, RDP, and WinRM hosts using compromised credentials, indicative of lateral movement.

In one case, the group attempted to deploy Black Basta ransomware, which Sophos blocked.

Both threat clusters rely heavily on social engineering and exploitation of Office 365’s default settings, such as allowing external Teams calls.

STAC5143 and STAC5777 have also adopted overlapping tactics, including:

• Email bombing to create urgency and distraction.
• Fake IT support calls via Teams to trick victims into granting remote control.
• Malware delivery through legitimate Microsoft services, such as SharePoint and Quick Assist.
• Persistent footholds using DLL side-loading, network discovery, and credential harvesting.

Sophos strongly recommends organizations proactively mitigate these threats by disabling external Teams communications unless necessary and restricting unauthorized applications like Quick Assist.

Organizations should integrate Office 365 with endpoint protection solutions to monitor for suspicious activities and raise employee awareness about these evolving tactics.

Enhanced training on identifying fake IT support requests and resisting urgency tactics is also essential.

Both STAC5143 and STAC5777 exemplify the increasing sophistication of ransomware and extortion-focused campaigns leveraging trusted platforms like Office 365.

Sophos’ analysis underscores the importance of robust endpoint protection, email security, and vigilant configuration management to detect and block these threats at early stages.

By adopting a layered defense strategy, organizations can better safeguard their systems from such adversarial campaigns. For Indicators of compromise refer here.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar