- Sophos researchers said they saw two groups engaging in email attacks
- At least 15 organizations have been targeted in the past three months
- The goal is to steal sensitive data and deploy ransomware
At least two groups of threat actors are conducting email bombing campaigns against many Western organizations, trying to steal their data and deploy ransomware.
Cybersecurity researchers Sophox
Email bombardment is not a new tactic. This involves “bombarding” the victim with hundreds or even thousands of emails in a very short period of time, before the attackers contact the victims pretending to be an IT administrator or employee of the company. network support.
Russian pirates
The attackers would contact via Microsoft Teams or similar online collaboration tools and offer to resolve the issue. If the victim takes the bait, the attackers would demand access to Quick Assist or Microsoft Teams screen sharing, to take control of their targets’ computers. Once access was granted, the attackers would deploy ransomware, the researchers said.
Although Sophos financially motivated.
The second group is apparently linked to Storm-1811, another group of money-motivated cybercriminals. This collective is known for deploying Black Basta ransomware via sophisticated social engineering attacks, and has been observed impersonating IT personnel in the past.
For Sean Gallagher, senior threat researcher at Sophos, the key to the problem is that the default configuration of Teams allows people outside an organization to chat or call internal company staff.
“Since many businesses rely on managed service providers for their IT support, receiving a Teams call from an unknown person labeled as ‘Help Desk Manager’ may not raise any alarm bells, especially if combined to an overwhelming amount of spam,” Gallagher said. .
“As Sophos continues to see new MDR and IR cases associated with these tactics, we want businesses using Microsoft 365 to be on alert. They should review company-wide configurations, block external account messages if possible, and block remote access tools and remote machine management tools that are not regularly used by their organization.
