Ransomware groups pose as fake tech support over Teams | CyberScoop<\/title> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/ransomware-groups-pose-as-fake-tech-support-over-teams\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Ransomware groups pose as fake tech support over Teams\"> <meta property=\"og:description\" content=\"A researcher at Sophos told CyberScoop that the company observed these tactics being used against multiple individuals and at least 15 organizations.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/ransomware-groups-pose-as-fake-tech-support-over-teams\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2025-01-21T22:50:57+00:00\"> <meta property=\"article:modified_time\" content=\"2025-01-21T22:52:10+00:00\"> <meta name=\"author\" content=\"djohnson\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/ransomware-groups-pose-as-fake-tech-support-over-teams-2.jpg\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1732206022g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1736472017g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1737070850g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=cc5cb8dd0a9ba2b865c4\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/83211\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.7.1\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=83211\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fransomware-groups-pose-as-fake-tech-support-over-teams%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fransomware-groups-pose-as-fake-tech-support-over-teams%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-83211 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/ransomware-groups-pose-as-fake-tech-support-over-teams\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--event js-stickybar\">\n<div class=\"stickybar__details\" readability=\"5.12\">\n<div class=\"stickybar__info js-sticky-bar-content\" readability=\"32\">\n<p>Nominations can be submitted for the 2025 CyberScoop 50 awards!<\/p>\n<\/div>\n<p> <a class=\"stickybar__link button button-tertiary\" href=\"https:\/\/cyberscoop.com\/cyberscoop50\/\">Click here!<\/a> <\/div>\n<p> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.242700729927\">\n<div class=\"single-article__header-content\" readability=\"33.694581280788\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/ransomware-groups-pose-as-fake-tech-support-over-teams\/\"> <span>Ransomware<\/span> <\/a> <\/li>\n<\/ul>\n<p> A researcher at Sophos told CyberScoop that the company observed these tactics being used against multiple individuals and at least 15 organizations. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/83211\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"427\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/ransomware-groups-pose-as-fake-tech-support-over-teams.jpg?resize=640%2C427&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/ransomware-groups-pose-as-fake-tech-support-over-teams-2.jpg 4500w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/ransomware-groups-pose-as-fake-tech-support-over-teams-2.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/ransomware-groups-pose-as-fake-tech-support-over-teams-2.jpg?resize=768,512 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/ransomware-groups-pose-as-fake-tech-support-over-teams-2.jpg?resize=1024,683 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/ransomware-groups-pose-as-fake-tech-support-over-teams-2.jpg?resize=1536,1024 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/ransomware-groups-pose-as-fake-tech-support-over-teams-2.jpg?resize=2048,1366 2048w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/ransomware-groups-pose-as-fake-tech-support-over-teams-2.jpg?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/ransomware-groups-pose-as-fake-tech-support-over-teams-2.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/ransomware-groups-pose-as-fake-tech-support-over-teams-2.jpg?resize=505,337 505w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/ransomware-groups-pose-as-fake-tech-support-over-teams-2.jpg?resize=1012,675 1012w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/ransomware-groups-pose-as-fake-tech-support-over-teams-2.jpg?resize=1264,843 1264w\" sizes=\"(max-width: 1012px) 100vw, 1012px\"><figcaption> A screen shows a virtual meeting with Microsoft Teams at ISE 2024 on January 30, 2024 in Barcelona, Spain. (Photo by Cesc Maymo\/Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"55.398414723032\"><body readability=\"111.13673838729\"><\/p>\n<p>Researchers at cybersecurity firm Sophos are tracking multiple clusters of hacking activity leveraging Microsoft 365 instances, Microsoft Teams and email bombing tactics to deliver ransomware.<\/p>\n<p>In new <a href=\"https:\/\/news.sophos.com\/en-us\/2025\/01\/21\/sophos-mdr-tracks-two-ransomware-campaigns-using-email-bombing-microsoft-teams-vishing\/\">research<\/a> released Tuesday, the company said it had identified at least two distinct clusters of hacking activity using the tactics to infect targets between November and December 2024.<\/p>\n<p>First, several individuals at an organization are inundated with emails \u2014 up to 3,000 in 45 minutes in some cases. The sheer volume of spam is designed to overwhelm the target\u2019s inbox and \u201ccreate a sense of urgency\u201d that may push them to reach out to IT for assistance, the researchers said.<\/p>\n<p>Then, using an external account, the hackers will message one of the targets over Microsoft Teams, posing as the organization\u2019s IT support or a \u201cHelp Desk Manager.\u201d Under the guise of assistance, the actors push the victim to permit a remote screen control session through Teams or Microsoft Quick Assist, which is then used to create command shells, access an external Sharepoint file and deploy malware on the victim\u2019s device.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>With a command and control channel established, the attackers then use the target\u2019s credentials to disable multifactor authentication and antivirus protections, connect to other hosts on the network and move laterally to compromise other systems.<\/p>\n<p>Sean Gallagher, principal threat researcher at Sophos and one of the authors of the research, told CyberScoop that his group has observed these tactics being used against multiple individuals and at least 15 organizations, most of which were blocked before they could compromise targeted devices.<\/p>\n<p>Posing as tech support is a well-known social engineering scheme for malicious hackers, and has been <a href=\"https:\/\/www.dhs.gov\/archive\/news\/2023\/08\/10\/cyber-safety-review-board-releases-report-activities-global-extortion-focused\">used by<\/a> cybercriminal groups like Lapsus$ to <a href=\"https:\/\/cyberscoop.com\/cyber-company-okta-is-latest-potential-victim-of-lapsus-hackers\/\">compromise large<\/a>, multinational businesses. But the targeting of Office 365 and Teams has come mainly against smaller organizations and reflects how threat groups have increasingly capitalized on the rush by small and mid-sized businesses to move to the cloud and digitize, particularly in the wake of the COVID-19 pandemic.<\/p>\n<p>For many of these smaller organizations, using unfamiliar software like Microsoft Office 365, Teams, and Azure for the first time left them vulnerable to attackers.<\/p>\n<p>\u201cIt\u2019s a much more lucrative target now for cybercriminals to go after Office 365 infrastructure, especially when it\u2019s tied so intimately to internal infrastructure and data systems,\u201d Gallagher said.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>The use of external Teams accounts to pose as tech support highlights the weaknesses that can be created when new technologies are integrated into an organization without custom configuration and employee awareness. Many organizations, Gallagher contends, are unaware that the default setting in their Microsoft Teams software allows for external actors to message employees through the app while posing as tech support, something that can make them more vulnerable to phishing and social engineering schemes. <\/p>\n<p>Organizations frequently rely on legitimate external tech support through third-party managed security providers (MSPs), so such contact isn\u2019t unusual. Further, standard anti-phishing training tends to focus on good password hygiene and identifying fake emails, rather than detecting fake tech support staff. <\/p>\n<p>\u201cNobody is trained on the whole idea of: you have an inbound call from someone who\u2019s your IT support, you just had an IT problem, and you may have already put in a trouble ticket for IT. How do you assure that the person who\u2019s calling you on your internal communications system is in fact your IT person?\u201d Gallagher said.<\/p>\n<p>There are at least two groups that have been observed carrying out this infection chain, both with technical connections to bigger players in the cybercrime ecosystem. One, STAC5143, shares technical overlaps and code obfuscation tactics with the FIN7 cybercriminal gang. The other, STAC5777, uses tactics <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/05\/15\/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware\/\">similar to Storm-1811<\/a>, a threat actor that uses similar social engineering tactics to deliver Black Basta ransomware code.<\/p>\n<p>Gallagher highlights that while Storm-1811 and FIN7 are both sophisticated groups that share significant tools and tactics, entities like FIN7 sell their software and phishing kits to other cybercriminal groups, complicating attribution to a specific actor.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Additionally, CISA <a href=\"https:\/\/www.cisa.gov\/news-events\/cybersecurity-advisories\/aa24-131a\">warned about these tactics<\/a> being used to deliver Black Basta in November. <\/p>\n<p>Organizations should scrutinize their configurations and default settings to prevent these attack vectors, Sophos recommended. For employees, having some familiarity with how their employer\u2019s IT help desk process works in advance, or simply knowing the name or email of your IT support staff, can help guard against this kind of exploitation.<br \/>For malware analysis, detection rules and indicators of compromise associated with these campaigns, see Sophos\u2019 full research <a href=\"https:\/\/news.sophos.com\/en-us\/2025\/01\/21\/sophos-mdr-tracks-two-ransomware-campaigns-using-email-bombing-microsoft-teams-vishing\/\">here<\/a>.<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"3.8054474708171\">\n<div class=\"author-card\" readability=\"13\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/ransomware-groups-pose-as-fake-tech-support-over-teams-1.jpg?w=640&ssl=1\" alt=\"Derek B. Johnson\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Derek B. Johnson<\/h4>\n<p> Derek B. Johnson is a reporter at CyberScoop, where his beat includes cybersecurity, elections and the federal government. Prior to that, he has provided award-winning coverage of cybersecurity news across the public and private sectors for various publications since 2017. Derek has a bachelor\u2019s degree in print journalism from Hofstra University in New York and a master\u2019s degree in public policy from George Mason University in Virginia. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Geopolitics<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/ransomware-groups-pose-as-fake-tech-support-over-teams\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Ransomware groups pose as fake tech support over Teams |<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[625,46,2927],"tags":[630,54,2928],"class_list":["post-7014","post","type-post","status-publish","format-standard","hentry","category-microsoft","category-ransomware","category-sophos","tag-microsoft","tag-ransomware","tag-sophos"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/microsoft\/\" rel=\"category tag\">Microsoft<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/ransomware\/\" rel=\"category tag\">ransomware<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/sophos\/\" rel=\"category tag\">Sophos<\/a>","tag_info":"Sophos","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7014","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=7014"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7014\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=7014"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=7014"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=7014"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":7014,"date":"2025-01-21T16:50:57","date_gmt":"2025-01-21T22:50:57","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=83211"},"modified":"2025-01-21T16:50:57","modified_gmt":"2025-01-21T22:50:57","slug":"ransomware-groups-pose-as-fake-tech-support-over-teams","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2025\/01\/21\/ransomware-groups-pose-as-fake-tech-support-over-teams\/","title":{"rendered":"Ransomware groups pose as fake tech support over Teams"},"content":{"rendered":"