Two ransomware campaigns tracked using 'email bombing' and Microsoft Teams 'vishing'
Essential information
- Published
- 22/01/2025 09:09
- Modified
- 22/01/2025 09:17
- Tags
- 2025-01-22 black basta email bombing ransomware social engineering vishing
- Related entities
- 17 observables, 1 intrusion sets (apt), 7 techniques (mitre), 1 malware
Description
Sophos MDR has identified two threat clusters, STAC5143 and STAC5777, targeting organizations using Microsoft Office 365. Both employ similar tactics: email bombing to create urgency, followed by social engineering via Microsoft Teams calls posing as tech support. The attackers use remote access tools to deploy malware and conduct reconnaissance. STAC5143 uses Java and Python-based malware, possibly linked to FIN7. STAC5777 utilizes a malicious DLL side-loaded by a legitimate Microsoft updater, and in one case attempted to deploy Black Basta ransomware. Both groups aim to steal data and deploy ransomware, exploiting Office 365 vulnerabilities and users' trust in IT support.