Over a dozen intrusions exploiting Microsoft 365 and default Microsoft Teams configurations to facilitate tech support impersonation have been conducted by a pair of newly emergent ransomware operations STAC5143 and STAC5777 against organizations' employees during the last three months, SecurityWeek reports.
STAC5143 commenced its attacks with the delivery of a deluge of spam messages followed by a Teams call purporting to be from "Help Desk Manager" that sought Teams-based remote screen control access to enable command execution and backdoor deployment, according to an analysis from Sophos. Despite performing similar techniques, STAC5777 aimed for more hands-on-keyboard actions, luring targets to install Microsoft Quick Assist to allow device takeovers, reconnaissance efforts, lateral movement, and attempted Black Basta ransomware compromise. Tactics employed by STAC5143 and STAC5777 should be added to employee anti-phishing training programs, noted Sophos. "Employees should be aware of who their actual technical support team is and be mindful of tactics intended to create a sense of urgency that these sorts of social engineering-driven attacks depend upon," Sophos added.