Sophos Mdr Tracks Two Ransomware Campaigns Using “email Bombing,” Microsoft Teams “vishing”
Thumbnail
Sophos X-Ops’ Managed Detection and Response (MDR) has reported on two active threat clusters, STAC5143 and STAC5777, utilizing Microsoft Office 365 to infiltrate organizations for data theft and ransomware deployment. The tactics include email-bombing, fake tech support, and exploiting remote control tools. Both clusters exhibit overlapping techniques with known threat groups like FIN7 and Storm-1811. Affected: Microsoft Office 365

Keypoints :

  • Sophos MDR is responding to incidents from two threat clusters, STAC5143 and STAC5777.
  • Both groups exploit Microsoft Office 365 functionalities to access targeted organizations.
  • Common tactics include email-bombing and impersonating tech support via Microsoft Teams.
  • STAC5143 is linked to FIN7, while STAC5777 overlaps with Storm-1811.
  • Over 15 incidents have been observed in the last three months, indicating a rising threat.
  • Attack methods involve the use of remote control tools like Microsoft Quick Assist and Teams screen sharing.
  • Malware deployment includes Java-based backdoors and malicious DLLs.
  • Organizations are advised to restrict external Teams calls and remote access tools.

MITRE Techniques :

  • TA0011: Command and Control – T1090: Proxy – Used Java-based proxy in MailQueue-Handler.jar.
  • TA0002: Execution – T1059.001: PowerShell – Executed PowerShell commands to download and extract malware.
  • TA0007: Discovery – T1049: System Network Connections Discovery – Used commands to discover network resources.
  • TA0002: Execution – T1059.001: PowerShell – Executed commands to download malicious payloads.
  • TA0007: Discovery – T1018: Remote System Discovery – Scanned for online hosts and domain controllers.
  • TA0002: Execution – T1059.001: PowerShell – Executed the malicious Python payload.

Indicator of Compromise :

  • [email] helpdesk@llladminhlpll.onmicrosoft.com
  • [ip address] 78.46.67[.]201
  • [ip address] 185.190.251[.]16
  • [ip address] 207.90.238[.]52
  • [ip address] 89.185.80[.]86
  • Check the article for all found IoCs.

Full Research: https://news.sophos.com/en-us/2025/01/21/sophos-mdr-tracks-two-ransomware-campaigns-using-email-bombing-microsoft-teams-vishing/