Several ransomware groups are exploiting default configurations in Microsoft Teams to initiate messages pretending to be IT support.
These often begin with the attacker sending a disruptively high number of emails, before messaging via Teams offering to help fix the "incident."
That’s according to a new report from Sophos. It said that it is tracking two threat groups that set up Microsoft Office 365 service tenants to take “advantage of a default Microsoft Teams configuration that permits users on external domains to initiate chats or meetings with internal users.”
"Teams-based social engineering within the criminal ecosystem supporting ransomware is continuing to consume a disproportionate amount of our time as threat intel analysts" – Nick Carr, Microsoft Threat Intelligence
Several incidents have started with email bombing, or spamming inboxes with myriad email; 3,000 in 45 minutes in one incident, Sophos said.
This warm up act is then “followed by an inbound Microsoft Teams message from someone claiming to be with their internal IT team” – in several cases they “walked the user through the process of installing Microsoft Quick Assist [a legitimate remote access tool] over the Teams call”; establishing a remote session and then installing malware.
(Red Teams have been doing something similar for many, many years; tactics may evolve but the strategy has been consistently successful.)
The attackers have also been seen installing a legitimate Microsoft updater with a malicious side-loading DLL (library) that provides persistence and lets the attacker discover network resources and pull credentials.
Ransomware attacks via Teams
That is, perhaps, to be expected given the sheer scale of Teams use (over 320 million users) and the persistent successfulness of social engineering; something that is getting easier with generative AI-powered emails.
But Sophos said Teams’ default configurations were also to blame.
(In a thread on X about recent ransomware attacks, which also touched on the Teams-based social engineering, Microsoft Threat Intelligence concluded simply that “applying durable best practices like credential hygiene, the principle of least privilege, and Zero Trust will continue to help users and organizations protect environments from ransomware…”)
Sophos, rather more specifically and concretely, warned that “unless absolutely necessary, organizations should ensure that their O365 service provisions restrict Teams calls from outside organizations or restrict that capability to trusted business partners. Additionally, remote access applications such as Quick Assist should be restricted by policy unless they are specifically used by the organization’s technical support team.”
Microsoft Threat Intelligence tracks the groups it has seen involved as Storm-1674 and Storm-1811; Sophos as STAC5143 and STAC5777.
