Microsoft

Hackers Deliver Ransomware on Windows Via Microsoft Teams Voice Calls

Sophos X-Ops’ Managed Detection and Response (MDR) team has uncovered two highly active threat actor clusters exploiting Microsoft Office 365 to target organizations.

Identified as STAC5143 and STAC5777, these clusters use advanced social engineering tactics, such as email bombing, fake Microsoft Teams tech support calls, and misuse of Microsoft tools, like Quick Assist and Teams’ remote control functionality, to infiltrate networks.

With over 15 recorded incidents since November 2024, Sophos warns organizations of escalating risks tied to these campaigns.

STAC5143: Leveraging Teams and Java-Based Malware

STAC5143 has adopted a sophisticated approach that combines Teams’ remote desktop features with malicious Java and Python scripts.

Python code from an obfuscated copy of RPivot i

The attackers initiate their campaigns with email bombing, sending thousands of spam messages to overwhelm victims, followed by team calls impersonating IT support.

Once a victim grants remote access, STAC5143 deploys Java Archive (JAR) files to execute malicious Python-based backdoors obtained from external SharePoint links.

These backdoors, including obfuscated RPivot malware, provide the attackers with a SOCKS proxy for remote command execution and lateral movement across networks.

Sophos links this activity to tools and techniques previously associated with the FIN7 (Sangria Tempest) threat actor but notes divergences in victim profiles and targeting methods.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

STAC5777: Exploiting Quick Assist for Direct Device Compromise

STAC5777 employs Microsoft Quick Assist, guiding victims to install this remote access tool through Teams calls.

Once Quick Assist is active, attackers gain full control of the victim’s device, allowing for direct execution of malicious payloads.

The group also uses legitimate Microsoft executables, such as OneDriveStandaloneUpdater.exe, to side-load malicious DLLs (e.g., winhttp.dll) for persistence, data exfiltration, and command-and-control connections.

Sophos detected STAC5777 scanning networks for SMB, RDP, and WinRM hosts using compromised credentials, indicative of lateral movement.

In one case, the group attempted to deploy Black Basta ransomware, which Sophos blocked.

Both threat clusters rely heavily on social engineering and exploitation of Office 365’s default settings, such as allowing external Teams calls.

STAC5143 and STAC5777 have also adopted overlapping tactics, including:

  • Email bombing to create urgency and distraction.
  • Fake IT support calls via Teams to trick victims into granting remote control.
  • Malware delivery through legitimate Microsoft services, such as SharePoint and Quick Assist.
  • Persistent footholds using DLL side-loading, network discovery, and credential harvesting.

Sophos strongly recommends organizations proactively mitigate these threats by disabling external Teams communications unless necessary and restricting unauthorized applications like Quick Assist.

Organizations should integrate Office 365 with endpoint protection solutions to monitor for suspicious activities and raise employee awareness about these evolving tactics.

Enhanced training on identifying fake IT support requests and resisting urgency tactics is also essential.

Both STAC5143 and STAC5777 exemplify the increasing sophistication of ransomware and extortion-focused campaigns leveraging trusted platforms like Office 365.

Sophos’ analysis underscores the importance of robust endpoint protection, email security, and vigilant configuration management to detect and block these threats at early stages.

By adopting a layered defense strategy, organizations can better safeguard their systems from such adversarial campaigns. For Indicators of compromise refer here.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

APT32 Turns GitHub into a Weapon Against Security Teams and Enterprise Networks

Southeast Asian Advanced Persistent Threat (APT) group OceanLotus, also known as APT32, has been identified…

1 hour ago

AkiraBot Floods 80,000 Sites After Outsmarting CAPTCHAs and Slipping Past Network Defenses

AkiraBot, identified by SentinelLABS, represents a sophisticated spam bot framework that targets website chats and…

1 hour ago

Microsoft Identity Web Flaw Exposes Sensitive Client Secrets and Certificates

A new vulnerability has been discovered in the Microsoft.Identity.Web NuGet package under specific conditions, potentially…

1 hour ago

CatB Ransomware Abuses Microsoft Distributed Transaction Coordinator for Stealthy Payload Execution

The cybersecurity realm has encountered a formidable adversary with the emergence of CatB ransomware, also…

1 hour ago

Smokeloader Malware Operators Busted, Servers Seized by Authorities

In a major victory against cybercrime, law enforcement agencies across North America and Europe have…

2 hours ago

CISA Alerts on Actively Exploited Linux Kernel Out-of-Bounds & Read Flaw

The Cybersecurity and Infrastructure Security Agency (CISA) has issued alerts regarding two actively exploited vulnerabilities…

2 hours ago