Ransomware Gangs Exploit Microsoft Teams and Email Bombing to Infiltrate Corporate Networks

2025-01-21

In a disturbing new trend, ransomware gangs are leveraging email bombing campaigns and impersonating tech support in Microsoft Teams calls to deceive employees into granting remote access. This tactic allows attackers to install malware, gain control of corporate networks, and potentially deploy ransomware. Cybersecurity experts at Sophos have uncovered multiple campaigns using this method, with some linked to notorious groups like FIN7 and Black Basta.

The Anatomy of the Attack

The attackers begin by flooding a target’s inbox with thousands of spam emails in a short timeframe—sometimes as many as 3,000 messages in just 45 minutes. This email bombing is designed to overwhelm the victim and create a sense of urgency. Shortly after, the target receives a call on Microsoft Teams from an account posing as a “Help Desk Manager” or IT support representative. The caller convinces the employee to allow remote screen control, often under the guise of resolving a technical issue.

Once access is granted, the attackers deploy malicious tools. In one campaign, they dropped a Java archive (JAR) file and Python scripts via an external SharePoint link. The JAR file executed PowerShell commands to download a legitimate ProtonVPN executable, which side-loaded a malicious DLL (nethost.dll). This DLL established an encrypted command-and-control (C2) channel, giving the attackers remote access to the compromised system.

The attackers also used Windows Management Instrumentation (WMIC) and whoami.exe to gather system details and deployed second-stage Java malware to execute RPivot, a penetration testing tool that enables SOCKS4 proxy tunneling. RPivot has been previously associated with FIN7, a well-known cybercriminal group. However, Sophos notes that while the tools and techniques overlap with FIN7’s methods, the attacks cannot be definitively attributed to them due to the public availability of these tools.

A Second Campaign: Quick Assist Exploitation

In another campaign, tracked as STAC5777, the attackers used a similar email bombing tactic but shifted their approach in Microsoft Teams. Instead of requesting remote screen control directly, they tricked the victim into installing Microsoft Quick Assist, a legitimate remote support tool. Once installed, the attackers used Quick Assist to download malware hosted on Azure Blob Storage.

The malware, winhttp.dll, was side-loaded into a legitimate Microsoft OneDriveStandaloneUpdater.exe process. A PowerShell command created a service to ensure the malware relaunched at system startup. This malicious DLL logged keystrokes, harvested credentials from files and the registry, and scanned the network for potential pivoting points using SMB, RDP, and WinRM.

Sophos observed STAC5777 attempting to deploy Black Basta ransomware, suggesting a connection to the infamous ransomware group. The attackers also accessed local documents with “password” in the file name and explored Remote Desktop Protocol (RDP) files, likely searching for credentials to escalate their access.

What Undercode Say:

The rise of these sophisticated attacks highlights the evolving tactics of ransomware gangs. By combining email bombing with social engineering in Microsoft Teams, attackers exploit human psychology and default software configurations to infiltrate corporate networks. Here’s a deeper analysis of the implications and countermeasures:

1. Exploitation of Trust and Urgency: The use of email bombing creates a sense of chaos, making employees more susceptible to social engineering. When combined with a seemingly legitimate Teams call from “IT support,” the likelihood of compliance increases. Organizations must train employees to recognize these tactics and verify the identity of anyone requesting remote access.

2. Default Configurations as Weak Points: Microsoft Teams’ default settings allow external domains to initiate calls and chats, providing an easy entry point for attackers. Companies should consider restricting external communications or implementing additional verification steps for unsolicited support requests.

3. Legitimate Tools Turned Malicious: Attackers are increasingly abusing legitimate tools like Quick Assist and OneDriveStandaloneUpdater.exe to side-load malware. This blurs the line between legitimate and malicious activity, making detection more challenging. Endpoint detection and response (EDR) solutions should be configured to monitor for unusual behavior, even in trusted processes.

4. The Role of Publicly Available Tools: The use of publicly available tools like RPivot and obfuscation techniques complicates attribution. While these tools are associated with groups like FIN7, their widespread availability means they could be used by any threat actor. This underscores the importance of focusing on behavior-based detection rather than relying solely on known indicators of compromise (IOCs).

5. Proactive Defense Strategies: Organizations should adopt a multi-layered defense strategy, including:

– Disabling Quick Assist in critical environments.

– Implementing strict email filtering to mitigate email bombing.
– Monitoring for unusual PowerShell activity and side-loading attempts.
– Regularly updating and patching software to close potential vulnerabilities.

6. The Growing Threat of Ransomware: The attempted deployment of Black Basta ransomware in the STAC5777 campaign highlights the end goal of many such attacks. Ransomware gangs are not just after quick payouts; they aim to exfiltrate data and cause maximum disruption. Companies must prioritize data backups, network segmentation, and incident response planning to minimize the impact of a potential breach.

Conclusion

As ransomware gangs continue to refine their tactics, organizations must stay vigilant and adapt their defenses. By understanding the methods used in these attacks—such as email bombing, social engineering, and the abuse of legitimate tools—businesses can better protect themselves. Proactive measures, employee training, and robust cybersecurity policies are essential to thwarting these increasingly sophisticated threats. The time to act is now, before the next wave of attacks strikes.