Introduction
Security experts have identified two ransomware groups [8], STAC5143 and STAC5777 [1] [2] [3] [4] [5] [8] [9] [10] [11] [12], exploiting Microsoft Teams and other Microsoft 365 services to gain unauthorized access to corporate systems [12]. These groups employ sophisticated cyberattack techniques for data exfiltration and potential extortion, posing significant threats to organizations.
Description
Security experts have identified two ransomware groups [8], designated STAC5143 and STAC5777 [2] [3] [4] [8] [10] [11] [12], that are exploiting Microsoft Teams and other Microsoft 365 services to gain unauthorized access to corporate employees’ work computers for data exfiltration and potential extortion. Both groups employ sophisticated cyberattack techniques [5], utilizing common tactics such as email bombing and vishing through Microsoft Teams to manipulate targeted employees into granting remote access.
STAC5777 is linked to the financially motivated cybercrime group Storm-1811 [8], which has been involved in Teams-based vishing attacks since May 2024 and is known for deploying Black Basta ransomware. This group utilizes Microsoft Quick Assist to gain remote system access and employs social engineering methods similar to those used by Storm-1811. Their tactics include overwhelming Outlook mailboxes with up to 3,000 spam emails within a short timeframe, followed by Teams messages impersonating internal IT support to create a sense of urgency. Attackers from STAC5777 instruct victims to download Microsoft Quick Assist, allowing them to connect and download malicious payloads [2]. In a recent attack, they executed a sophisticated chain of events involving the download of two .dat files, which were combined into an archive named pack.zip [7]. This archive contained a legitimate executable [7], OneDriveStandaloneUpdater.exe [7], along with two .dll files from the OpenSSL Toolkit [7], an unknown winhttp.dll [7], and settingsbackup.dat [7]. The winhttp.dll file acted as a backdoor [7], automatically sideloaded by the OneDrive executable [7], capable of gathering system information [2] [7], including configuration details and the current user’s name [7], as well as recording keystrokes [7]. Researchers suspect that it was intended to decrypt settingsbackup.dat and execute it as a second-stage payload [7]. The attackers also utilize RDP and Windows Remote Management for lateral movement within networks [3].
In contrast [2] [8] [12], STAC5143 is a previously unreported threat cluster associated with the threat actor group FIN7 [8], which has ties to various ransomware operations [2], including REvil [2], Lockbit [2], Darkside [2], and Black Basta [1] [2] [4] [5] [6] [9] [10]. This group shares code obfuscation tactics and technical overlaps with FIN7 [1], targeting smaller organizations and utilizing Teams calls from external accounts, such as one named “Help Desk Manager,” to convince employees to allow remote screen control [12]. This access enables the execution of malware from external SharePoint file stores. The attack methods for STAC5143 begin with a Java archive (JAR) file that extracts Python backdoors from a remote SharePoint link, allowing attackers to take control of victim computers and install additional malware [3], including a ProtonVPN executable for DLL side-loading and backdoors [6]. Additionally, STAC5143 implements RPivot for command tunneling [6], enhancing their ability to maintain access and control over compromised systems.
Both groups initiate attacks with a barrage of spam emails followed by calls on Microsoft Teams, where they impersonate internal IT team members [4]. Attackers from STAC5143 request remote screen control access through Teams [2], while STAC5777 demonstrates a more hands-on approach [12], executing scripted commands directly [12]. Both groups utilize PowerShell for persistence [12], credential gathering [3] [6] [12], and data exfiltration [3] [8] [12], and they have been noted to use evasion techniques, including attempts to uninstall multifactor authentication and endpoint protection software [12].
Since November 2024 [4], more than 15 incidents involving these tactics have been reported, with a significant number occurring in the last two weeks [9], underscoring the increasing threat level and the need for organizations to train employees to recognize social engineering tactics. Companies are advised to restrict external Teams calls and limit remote access applications not used by their IT support teams [2], as well as enhance social engineering awareness training among employees to mitigate these evolving threats [12]. The ongoing abuse of Microsoft 365 services highlights a significant risk for any organization utilizing these platforms [12], emphasizing the urgency for enhanced defenses against such threats. Indicators of compromise for these campaigns are available on security platforms [9], further aiding organizations in their defense strategies.
Conclusion
The activities of STAC5143 and STAC5777 underscore the evolving threat landscape, particularly concerning the exploitation of Microsoft 365 services. Organizations must prioritize employee training to recognize social engineering tactics and implement stringent access controls to mitigate these threats. The increasing frequency of such attacks highlights the urgent need for enhanced cybersecurity measures and vigilance in monitoring potential indicators of compromise. By adopting proactive defense strategies, companies can better protect themselves against these sophisticated cyber threats.
References
[1] https://cyberscoop.com/ransomware-groups-pose-as-fake-tech-support-over-teams/
[2] https://www.csoonline.com/article/3806856/spam-and-vishing-attacks-trick-employees-into-handing-over-microsoft-teams-access.html
[3] https://news.sophos.com/en-us/2025/01/21/sophos-mdr-tracks-two-ransomware-campaigns-using-email-bombing-microsoft-teams-vishing/
[4] https://fieldeffect.com/blog/microsoft-teams-abused-by-black-basta-affiliates
[5] https://undercodenews.com/microsoft-365-under-siege-email-bombing-and-vishing-tactics-surge-in-ransomware-attacks/
[6] https://clickcontrol.com/cyber-attack/deceptive-double-threat-hackers-weaponize-microsoft-teams-to-launch-sophisticated-ransomware-attacks/
[7] https://osintcorp.net/microsoft-teams-vishing-attacks-trick-employees-into-handing-over-remote-access/
[8] https://www.infosecurity-magazine.com/news/ransomware-email-bombing-teams/
[9] https://www.darkreading.com/cyberattacks-data-breaches/email-bombing-vishing-tactics-abound-microsoft-365-attacks
[10] https://www.helpnetsecurity.com/2025/01/21/ransomware-attackers-are-vishing-organizations-via-microsoft-teams-email-bombing/
[11] https://www.hendryadrian.com/sophos-mdr-tracks-two-ransomware-campaigns-using-email-bombing-microsoft-teams-vishing/
[12] https://www.techtarget.com/searchsecurity/news/366618294/Threat-actors-abusing-Microsoft-Teams-in-ransomware-attacks
