Numerous 'Vishing' and email bombing techniques are used in Microsoft 365 attacks.

Through Microsoft Office 365, Sophos X-Ops' Managed Detection and Response (MDR) is alerting users to ransomware attacks that use email bombing and vishing, or posing as tech support. Two distinct threat groups are linked to these attacks, and Microsoft started looking into them in response to customer complaints in November and December 2024. STAC5143 and STAC5777 are the threat groups that are being monitored.

While STAC5143 is employing strategies from an outdated Storm-1811 playbook, STAC5777 overlaps with a group that Microsoft identified as Storm-1811 in the past. In the last three months, there have been over 15 incidents involving these tactics, with half of those incidents taking place in the last two weeks, according to Sophos MDR.

Using Microsoft remote control capabilities like Teams screen sharing or Quick Assist is one of these strategies. Attackers then take over the victim's device, install malware, and use a threat actor-controlled Office 365 to impersonate tech support while sending Teams messages or making Teams calls. They also use a tactic called "email bombing," which involves sending a lot of spam emails to overburden Outlook mailboxes.

In their paper, the Sophos researchers stated, "We believe with high confidence that both sets of adversarial activity are parts of ransomware and data theft extortion efforts." Black Basta and Python ransomware are among the malware that these two gangs have used; the researchers observe that STAC5777 is particularly active.

While Sophos has implemented detections for the malware involved in these campaigns, it advises businesses to take additional precautions against attacks, like making sure their Microsoft 365 services limit Teams calls from external organizations and educating staff members about these strategies, which aren't typically addressed in anti-phishing trainings.

A list of Sophos's compromise indicators for these campaigns is accessible on its GitHub site.