Cybercriminals are exploiting Microsoft Teams to impersonate technical support staff and infiltrate organizations, according to a new report by cybersecurity firm Sophos. The attacks aim to steal sensitive data and deploy ransomware.
Two distinct threat groups, identified as STAC5143 and STAC5777, have been observed conducting these sophisticated social engineering campaigns over the past three months, with half of the incidents occurring in just the last two weeks.
The attackers take advantage of Microsoft Teams' default settings that allow external users to initiate chats and meetings with internal employees. Their tactics include:
- Overwhelming target employees' Outlook inboxes with spam emails
- Making voice and video calls while posing as IT support
- Using Microsoft's remote control tools to take over victims' computers
- Installing malware through remote access
In one attack pattern, cybercriminals posed as "Help Desk Manager" and initiated Teams video calls with employees. Since many organizations use external IT service providers, these calls didn't raise immediate suspicion. Once connected, the attackers convinced victims to grant remote screen control access, allowing them to deploy malware from external sources.
The second group employed a different approach, first flooding victims' email accounts before sending Teams messages claiming to be internal IT staff addressing spam issues. Cybersecurity researchers have uncovered a sophisticated social engineering campaign that uses Microsoft Teams calls to distribute the dangerous DarkGate malware through unauthorized remote access. This created a false sense of urgency that led victims to accept calls from the attackers.
Sophos has linked one of the groups to previous technical support scams and the deployment of Black Basta ransomware. While one attempted ransomware attack was blocked by security software, the ongoing campaign highlights growing risks.
To protect against these threats, organizations should:
- Restrict Teams calls from external sources
- Limit access to remote control applications
- Train employees to identify social engineering attempts
- Maintain clear communication about legitimate IT support channels
The attacks demonstrate how cybercriminals are adapting their tactics to exploit trusted business communication platforms, making it increasingly challenging for employees to distinguish between legitimate and malicious support requests.