Businesses face increasingly sophisticated cyber threats that challenge traditional security measures. Recent research by cybersecurity firm Sophos has highlighted a worrying trend: ransomware groups are leveraging Microsoft 365 and Teams, along with email bombing tactics, to execute highly effective impersonation attacks. This blog delves into these new cyber threats, their implications, and how businesses can protect themselves from ransomware and impersonation attacks.
Between November and December 2024, Sophos tracked multiple clusters of hacking activity targeting Microsoft 365 instances. These cyber attacks begin with an overwhelming barrage of emails—sometimes up to 3,000 in just 45 minutes—designed to create chaos in the target's inbox. This tactic not only overwhelms the recipient but also creates a false sense of urgency, often prompting individuals to seek IT assistance.
Once the target reaches out, hackers exploit this opportunity by posing as IT support personnel through Microsoft Teams. Under the guise of legitimate assistance, they persuade victims to permit remote access via Teams or Microsoft Quick Assist. This access is then used to establish command shells, access external SharePoint files, and deploy malware on the victim's device.
With a command and control channel established, attackers can disable multifactor authentication and antivirus protections. This allows them to move laterally across the network, compromising additional systems and potentially causing widespread damage. Sophos' research indicates that these tactics have been used against multiple individuals and at least 15 organizations, many of which were fortunately blocked before any significant compromise occurred.
While posing as tech support is a known social engineering tactic, the focus on Microsoft 365 and Teams highlights a shift in targeting. Smaller organizations, which have rapidly moved to cloud-based solutions like Office 365 and Teams during the COVID-19 pandemic, are particularly vulnerable. These businesses, often unfamiliar with the intricacies of new software, present lucrative targets for cybercriminals.
Sohpos has highlighted that Office 365 infrastructure, closely tied to internal data systems, is now a prime target. The integration of new technologies without customized configurations and employee awareness creates exploitable weaknesses.
One of the critical vulnerabilities lies in the default settings of Microsoft Teams, which may allow external actors to message employees while posing as tech support. This is compounded by the fact that many organizations routinely engage with legitimate external tech support through third-party managed security providers (MSPs), making such contact appear normal.
Furthermore, standard anti-phishing training often focuses on password hygiene and identifying fake emails, rather than detecting fake tech support staff. This gap in training leaves employees unprepared for these sophisticated social engineering attacks.
To combat these cyber threats, organizations must scrutinize their configurations and default settings, ensuring they are not inadvertently allowing external access. We recommend that employees familiarize themselves with their company's IT help desk processes, and those of their managed services providers, and be aware of legitimate IT support staff's names and emails.
Additionally, organizations should invest in comprehensive training programs that cover a broader range of phishing and social engineering tactics. By doing so, employees can be better equipped to recognize and respond to suspicious activity.
As cyber threats continue to evolve, businesses must remain vigilant and proactive in their cybersecurity measures. The recent tactics employed by ransomware groups underscore the importance of adapting to new challenges and securing cloud-based infrastructures. By staying informed, working with a managed security services provider, and implementing robust security protocols, organizations can protect themselves from these emerging cyber threats and safeguard their valuable assets.
BCS365 can help organizations with protection against cyber threats, and our engineers are available 24/7/365 for more information.