Ransomware Gangs Are Targeting Businesses, Posing as Microsoft Teams IT Support

As reported by Bleeping Computer, Cybercriminals are becoming increasingly sophisticated in their attacks, using Microsoft Teams to pose as IT support personnel. Recent investigations have uncovered that ransomware gangs are leveraging Teams’ external communication capabilities to gain remote access to corporate networks, ultimately deploying malware and stealing sensitive data.

How the Ransomware Scam Works

Cybersecurity researchers have observed a new attack pattern used by groups like Black Basta and potentially linked to FIN7, a notorious cybercriminal group. These attacks follow a structured approach:

1. Email Bombing – The victim’s inbox is flooded with thousands of emails in a short time to create confusion and urgency.

2. Fake IT Support Calls – Attackers, using adversary-controlled Office 365 accounts, initiate a Teams call under names like “Help Desk Manager.”

3. Remote Control Requests – The victim is convinced to set up a remote session via Microsoft Teams or Microsoft Quick Assist.

4. Malware Deployment – The attacker drops malicious files, such as Java Archive (JAR) files or Python scripts, which execute PowerShell commands to install backdoors and keyloggers.

5. Credential Theft and Network Scanning – The malware harvests stored credentials, logs keystrokes, and scans for other vulnerable systems.

6. Ransomware Deployment – If successful, the attackers attempt to deploy ransomware, encrypting files and demanding payment.

Two specific campaigns have been identified:

• STAC5143 Attack: Attackers deployed a ProtonVPN executable to side-load a malicious DLL (nethost.dll), establishing an encrypted communication channel for remote access.

• STAC5777 Attack: Hackers tricked victims into installing Microsoft Quick Assist, gaining direct control to deploy malware (winhttp.dll), which harvested credentials and attempted to deploy Black Basta ransomware.

Why These Ransomware Attacks Are Effective

• Exploitation of Default Microsoft Teams Settings – Many organizations allow external Teams messages and calls by default.

• Social Engineering Tactics – Attackers use urgency and authority (posing as IT support) to manipulate victims.

• Use of Legitimate Microsoft Tools – Malware is executed through recognized Microsoft applications like OneDriveStandaloneUpdater.exe, making detection harder.

• Advanced Evasion Techniques – The use of DLL side-loading and encrypted communications helps attackers avoid traditional security defenses.

Mitigation Strategies

Organizations can take several steps to reduce the risk of such attacks:

• Restrict External Teams Communication – Disable external messages and calls unless absolutely necessary.

• Disable Microsoft Quick Assist – This prevents unauthorized remote control sessions.

• Enhance Employee Awareness – Train employees to recognize phishing attempts and suspicious IT support requests.

• Deploy Endpoint Protection – Use advanced threat detection tools to identify and block malicious activity.

• Monitor Logs and Network Activity – Regularly audit Teams usage and watch for unusual remote access attempts.

By staying informed and proactive, Microsoft users can better protect themselves against these evolving cyber threats.