Sophos has reported that two ransomware groups, STAC5143 and STAC5777, are exploiting Microsoft Teams to launch their attacks on organizations, potentially linked to Black Basta and FIN7. The attackers utilized vulnerabilities in Microsoft Office 365 service tenants, particularly through a default configuration in Teams allowing external users to initiate communication. STAC5143 notably targeted smaller organizations with a novel approach, while STAC5777 exhibited previous associations with attacks via the Quick Assist tool. An alarming method used included spam emails leading to unsolicited Teams calls from a fake help desk to gain remote access.
STAC5143 first appeared on the Sophos team's radar in November, when a customer reported receiving more than 3,000 spam emails in a 45-minute period.
STAC5777 overlaps with a group Microsoft tracks as Storm-1811 that has previously abused Microsoft's Quick Assist application to deploy Black Basta ransomware.
Collection
[
|
...
]