Ransomware, Threat Intelligence, Phishing

Microsoft services exploited in separate ransomware campaigns

Ransomware attack alert on monitor screen in data center, network security concept

Over a dozen intrusions exploiting Microsoft 365 and default Microsoft Teams configurations to facilitate tech support impersonation have been conducted by a pair of newly emergent ransomware operations STAC5143 and STAC5777 against organizations' employees during the last three months, SecurityWeek reports.

STAC5143 commenced its attacks with the delivery of a deluge of spam messages followed by a Teams call purporting to be from "Help Desk Manager" that sought Teams-based remote screen control access to enable command execution and backdoor deployment, according to an analysis from Sophos. Despite performing similar techniques, STAC5777 aimed for more hands-on-keyboard actions, luring targets to install Microsoft Quick Assist to allow device takeovers, reconnaissance efforts, lateral movement, and attempted Black Basta ransomware compromise. Tactics employed by STAC5143 and STAC5777 should be added to employee anti-phishing training programs, noted Sophos. "Employees should be aware of who their actual technical support team is and be mindful of tactics intended to create a sense of urgency that these sorts of social engineering-driven attacks depend upon," Sophos added.

An In-Depth Guide to Ransomware

Get essential knowledge and practical strategies to protect your organization from ransomware attacks.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds