Over a dozen intrusions during the last three months exploiting Microsoft 365 and default Microsoft Teams configurations that facilitate tech support impersonation and target company employees have been conducted by a pair of newly-emergent ransomware operations, STAC5143 and STAC5777, SecurityWeek reports.
Sophos researchers said STAC5143 commenced its attacks with the delivery of a deluge of spam messages followed by a Teams call purporting to emanate from "Help Desk Manager" that sought Teams-based remote screen control access to enable command execution and backdoor deployment.
Despite performing similar techniques, STAC5777 aimed for more hands-on-keyboard actions, luring targets to install Microsoft Quick Assist to allow device takeovers, reconnaissance efforts, lateral movement, and attempted Black Basta ransomware compromise. Tactics employed by STAC5143 and STAC5777 should be added to employee anti-phishing training programs, noted Sophos.
"Employees should be aware of who their actual technical support team is and be mindful of tactics intended to create a sense of urgency that these sorts of social engineering-driven attacks depend upon," Sophos added.
