Security
Headlines
HeadlinesLatestCVEs

Headline

Email Bombing, 'Vishing' Tactics Abound in Microsoft 365 Attacks

Sophos noted more than 15 attacks have been reported during the past three months.

DARKReading
Open in Source
#microsoft#git#auth

Source: True Images via Alamy Stock Photo

NEWS BRIEF

Sophos X-Ops’ Managed Detection and Response (MDR) is warning of ransomware attacks using email bombing as well as imitating tech support, otherwise known as vishing, through Microsoft Office 365.

These attacks are tied to two separate threat groups, which Microsoft began investigating in response to customer incidents in November and December 2024. The threat groups are tracked as STAC5143 and STAC5777.

STAC5777 overlaps with a group previously identified by Microsoft as Storm-1811, while STAC5143 is using tactics from an old Storm-1811 playbook.

According to Sophos MDR, there have been more than 15 incidents involving these tactics in the past three months, half of them occurring just in the last two weeks.

These tactics include using Microsoft remote control tools like Quick Assist or Teams screen sharing. From there attackers take control of a victim’s device and install malware, sending Teams messages or making Teams calls from a threat actor-controlled Office 365 impersonating tech support. They also send large volumes of spam emails to overwhelm Outlook mailboxes, a strategy known as email bombing.

“We believe with high confidence that both sets of adversarial activity are parts of ransomware and data theft extortion efforts,” said the Sophos researchers in their report.

The ransomware deployed by these two groups include Black Basta and Python ransomware; the researchers note that STAC5777 in particular is highly active.

Though Sophos has deployed detections for the malware included in these campaigns, it recommends organizations take further steps to prevent attacks, such as ensuring their Microsoft 365 services restrict Teams calls from outside organizations, as well as raise employee awareness of these tactics, which are not normally covered in anti-phishing trainings.

Sophos provided a list of indicators of compromise for these campaigns available for viewing on its GitHub repository.

About the Author

Skilled writer and editor covering cybersecurity for Dark Reading.

DARKReading: Latest News

Will 2025 See a Rise of NHI Attacks?
DARKReading