eSentire reports a rise in Email Bombing attacks linked to ransomware campaigns, where threat actors exploit spam emails and Microsoft Teams impersonation to gain access to victims’ systems. Recommendations include restricting access to external communications and enhancing security training for users. Affected: organizations, individuals, Microsoft Teams, email systems
Keypoints :
- Rise in Email Bombing attacks observed by eSentire.
- Threat actors use phishing techniques to install malware on compromised hosts.
- Email Bombing floods users’ inboxes with spam, leading to service degradation.
- Impersonation of IT support via Microsoft Teams to gain unauthorized remote access.
- Linked to active ransomware threat groups.
- Organizations advised to limit external access and follow least privilege principles.
- eSentire employs a Global Block List to block malicious IPs and enhance threat intelligence.
- Recommendations for users include awareness training and secure credential practices.
MITRE Techniques :
- Initial Access (T1071) – Use of Microsoft Teams messages to initiate contact.
- Command and Control (T1071)- Establishing remote access using applications like Quick Assist and Teams screen sharing.
- Exploitation of Remote Services (T1203) – Downloading malware through external communication links.
- Persistence (T1547) – Utilizing legitimate applications (TeamViewer, Microsoft Remote Control) for continued access.
- Credential Dumping (T1003) – Use of malware to collect and exfiltrate user credentials.
Indicator of Compromise :
- [IP Address] 38[.]180[.]25[.]3
- [IP Address] 45[.]8[.]157[.]199
- [IP Address] 5[.]181[.]3[.]164
- [Domain] hxxps[://]filters6[.]s3[.]us-east-2[.]amazonaws[.]com
- [Hash] 0041E492A07AAC0B64AD907D44E6242BCA8A2193D492B8DD44EFC14170391E0F