Cybercriminals manipulate victims through Microsoft Teams, to gain remote access via AnyDesk and deploy malware.
What happened
Cybersecurity experts have flagged the re-emergence of a social engineering tactic targeting employees. Attackers affiliated with ransomware groups are spamming employees with thousands of emails and then posing as IT support representatives via Microsoft Teams. The ultimate goal? To gain remote access to employees' work computers and deploy malicious software, including ransomware.
Sophos, a leading security vendor, recently uncovered two threat actor groups, STAC5143 and STAC5777, using this tactic since November. These attackers exploited a default Microsoft Teams configuration that allows external users to initiate chats and meetings. One of the groups, STAC5777, is connected to Microsoft-tracked Storm-1811 and has distributed Black Basta ransomware in these campaigns.
In other news: 500+ organizations globally breached in Black Basta ransomware attack
Going deeper
The attack begins with an email-bombing campaign aimed at overwhelming employees and creating a sense of urgency. Shortly after, attackers initiate Teams calls posing as members of the organization's IT department, using deceptive account names like "Help Desk Manager."
Once trust is gained, the attackers request remote access to the victim’s system. STAC5143 relies on Teams' built-in screen-sharing functionality to execute commands and download malware. Meanwhile, STAC5777 instructs victims to install Microsoft Quick Assist, leveraging its remote desktop capabilities to download payloads.
Both groups cleverly use Microsoft-associated domains like SharePoint and Azure for distributing malware, reducing the likelihood of detection by security tools. Sophos reported that attackers employed sophisticated techniques to plant backdoors, steal data, and in some cases, deploy ransomware like Black Basta.
What was said
“Sophos is tracking these threats as STAC5143 and STAC5777,” the company stated in its report. “Both threat actors operated their own Microsoft Office 365 service tenants as part of their attacks and took advantage of a default Microsoft Teams configuration that permits users on external domains to initiate chats or meetings with internal users.”
The report highlighted STAC5143’s links to FIN7, an established cybercriminal group connected to several ransomware operations, including REvil and Lockbit. According to Sophos, “The STAC5777 group overlaps with Storm-1811 and has been engaged in similar Teams-based voice phishing (vishing) attacks since May 2024.”
Sophos also emphasized the importance of employee awareness: “Employees should be aware of who their actual technical support team is and be mindful of tactics intended to create a sense of urgency that these sorts of social-engineering-driven attacks depend upon.”
In the know
Vishing, or voice phishing, is a social engineering attack where cybercriminals use phone calls or voice messages to deceive individuals into revealing sensitive information, such as passwords, financial details, or personal data. Posing as trusted entities—like banks, tech support, or government officials—attackers manipulate victims into complying with their requests. Unlike email phishing, vishing exploits the immediacy of human interaction, often leveraging urgency or fear to pressure victims into taking harmful actions, such as granting remote access or sharing confidential information.
Related: What is a phishing attack?
See also: HIPAA Compliant Email: The Definitive Guide
FAQs
Why do cybercriminals use legitimate platforms like Microsoft Teams?
Legitimate platforms like Microsoft Teams are trusted by users, making them ideal for attackers to impersonate employees or partners and manipulate victims into granting access.
What steps should organizations take to prevent such attacks?
Organizations should provide employee training on cybersecurity awareness, implement multi-factor authentication, control remote access tools, and verify third-party affiliations before granting access.
Go deeper: Preventing cyberattacks in your organization
Tshedimoso Makhene
