Russian cybercriminals muscle in on Microsoft support scam

Beware unexpected Teams calls, says Sophos

Cyber gangs from Russia are increasingly acting as Microsoft support staff, in order to steal data or deliver ransomware to their victims.

Security vendor Sophos says it has seen two separate groups of threat actors using Microsoft 365 to target organisations, likely to steal data and deploy ransomware. Posing as support staff on Teams, they make contact with employees, apparently to help with a problem.

“Both threat actors operated their own Microsoft Office 365 service tenants as part of their attacks and took advantage of a default Microsoft Teams configuration that permits users on external domains to initiate chats or meetings with internal users,” Sophos’ threat intelligence team says in a blog post.

Sophos tracks these threats as STAC5143 and STAC5777, and believes them to be associated with a threat group tracked by Microsoft as Storm-1811. It may also be related to a group known variously as FIN7, Sangria Tempest and Carbon Spider.

The methodology of the attacks includes: intense email spamming activity to overwhelm mailboxes; sending Teams messages and making Teams voice and video calls from an adversary-controlled Office 365 instance; and using Microsoft tools such as Quick Assist to gain remote control of the victim’s device.

Sophos has published indicators of compromise on GitHub.

The security company recommends that admins restrict access to remote control tools such as Quick Assist, and that they integrate Microsoft Office 365 with security tools to monitor potentially malicious inbound Teams or Outlook traffic.

“Organisations should also raise employee awareness of these types of tactics—these aren’t the types of things that are usually covered in anti-phishing training,” the post says.

“Employees should be aware of who their actual technical support team is and be mindful of tactics intended to create a sense of urgency that these sorts of social-engineering driven attacks depend upon.”