
That invitation to a Teams call on which IT promises to mop up a spamstorm may not be what it seems
Seen on The Register:
Two ransomware campaigns are abusing Microsoft Teams to infect organizations and steal data, and the crooks may have ties to Black Basta and FIN7, according to Sophos.
The antivirus maker’s managed detection and response (MDR) team began investigating the two separate campaigns in November and December. Both of the ransomware crews, which Sophos calls STAC5143 and STAC5777, operated their own Microsoft Office 365 service tenants for these attacks and also abused a default Teams configuration that allows external users to initiate meetings or chats with internal ones.
… STAC5143 first appeared on the Sophos team’s radar in November, when a customer reported receiving more than 3,000 spam emails in a 45-minute period.
Soon after, the customer received a Microsoft Teams call from outside the org, coming from a bogus “Help Desk Manager” account. During the call, the phony help desk instructed the employee to allow a remote screen control session through Teams. The attacker then used this access to open a command shell, drop some files, and run malware on the victim’s machine.
Read more at The Register.