Sophos MDR tracks two ransomware campaigns using “email bombing,” Microsoft Teams “vishing”

Sophos X-Ops’ Managed Detection and Response (MDR) is actively responding to incidents tied to two separate groups of threat actors, each of which have used the functionality of Microsoft’s Office 365 platform to gain access to targeted organizations with the likely goal of stealing data and deploying ransomware.

Sophos MDR began investigating these two separate clusters of activity in response to customer incidents in November and December 2024. Sophos is tracking these threats as STAC5143 and STAC5777. Both threat actors operated their own Microsoft Office 365 service tenants as part of their attacks and took advantage of a default Microsoft Teams configuration that permits users on external domains to initiate chats or meetings with internal users.

STAC5777 overlaps with a threat group previously identified by Microsoft as Storm-1811. STAC5143 is a previously unreported threat cluster copying the Storm-1811 playbook, with possible connections to the threat actor known variously as FIN7, Sangria Tempest, or Carbon Spider.

We are publishing this in-depth report on both threat clusters to aid defenders in detecting and blocking these continuing threats, and to raise awareness of the spread of these tactics among organizations using the Office 365 platform. Sophos MDR has observed more than 15 incidents involving these tactics in the past three months, with half of them in the past two weeks.

Common tactics include:

• Email-bombing— targeted high volumes of spam email messages (as many as 3,000 in less than an hour) to overwhelm the Outlook mailboxes of a few individuals within the organization and create a sense of urgency
• Sending Teams messages and making Teams voice and video calls from an adversary-controlled Office 365 instance to targeted employees, posing as tech support for their organization
• Using Microsoft remote control tools—either Quick Assist or directly through Teams screen sharing—to take control of the targeted individual’s computer and install malware

STAC5143:

• Teams built-in remote control
• A Java Archive (JAR) and Java runtime that automate the exploitation of the victim’s computer
• JAR extracts Python-based backdoors from a .zip file downloaded from a remote SharePoint link.
• Uses techniques and tools connected to FIN7

STAC5777:

• Microsoft Quick Assist
• Hands-on-keyboard configuration changes and malware deployment
• Deployment of a legitimate Microsoft updater with a malicious side-loading DLL that provides persistence, steals credentials, and allows for discovery of network resources
• Uses RDP and Windows Remote Management to access other computers on the targeted network
• In one case, deployed Black Basta Ransomware
• Techniques, tools, and procedures overlap with Microsoft-identified threat actor Storm-1811
• Highly active

This report details the tactics of the two threat clusters, which both follow versions of the same attack pattern: email bombing and fake tech support social engineering with the delivery of malware, the exploitation of legitimate services through Microsoft’s Office 365 platform, and efforts to deploy command and control and data exfiltration tools.

We believe with high confidence that both sets of adversarial activity are parts of ransomware and data theft extortion efforts.

STAC5143

While some of the malware seen from this threat cluster in the two attacks Sophos observed were similar to attacks by FIN7 observed by eSentire and Sekoia , there were several things that diverged from the usual FIN7-type attack. FIN7 has been known to primarily target victims through phishing and (more recently) malicious sponsored Google Ads to deliver malware.  This attack chain was different, and targeted organizations smaller and in different business sectors than FIN7’s usual victims.

Attack chain

Initial access

In early November, an employee at a Sophos MDR customer organization reported to her internal IT contact that they had received an exceptionally large volume of spam messages—over 3,000 in a 45-minute period.  Shortly after that, they received a Teams call from outside their organization, from an account named “Help Desk Manager.” As the organization used a managed service provider for IT services, this did not set off red flags with the employee who accepted the video call.

During the call, the threat actor instructed the employee to allow a remote screen control session through Teams. Through this remote-control session that the attacker was able to open a command shell and drop files and execute malware, deploying them from an external SharePoint file store. The files included Java archive (JAR) files and a .zip archive containing Python code and other components.

First Stage Execution

The threat actor executed the JAR file from a command shell opened during the remote session with a copy of the legitimate javaw.exe, a Java “headless” runtime that interprets and executes Java code with no console output.

Via the Java-based proxy in MailQueue-Handler.jar, the attacker identified the process ID for javaw.exe using the Windows Management Instrumentation command line utility (WMIC.exe).  The attacker then changed the code page for the active console window to “65001” to allow UTF-8 encoding for multilingual input and output support. This was likely used along with PowerShell execution policy bypass to allow encoded commands to be executed and evade AMSI detection.

The Java code then ran a series of PowerShell commands that downloaded a 7zip archive and the 7zip archiving utility. The utility was then used to  extract the archive’s contents— a ProtonVPN executable and a malicious DLL (nethost.dll) side-loaded by the Proton executable.

Discovery

The attacker then obtained the target’s username using whoami.exe, and discovered network resources the user has access to via the net user command.

Sideload / Command and Control

The Java code then launched the ProtonVPN executable to side-load nethost.dll, which created sessions connecting to virtual private servers hosted in Russia, Netherlands and the US. This behavior triggered Sophos endpoint protection behavioral detections for an unsigned DLL sideload.

The code from the JAR next opens another cmd.exe session, again configuring it for UTF-8, and executes a second Java .jar file (identity.jar) with javaw.exe , passing  the target user’s username and Active Directory domain as parameters to the second-stage Java code.

An hour later, the tar.exe archive utility was used by the second-stage Java payload  to extract files from the dropped file winter.zip  to C:ProgramData. This was the Python malware payload being deployed. In addition, a series of commands were run to perform local user and network discovery—obtaining the name of network domain servers and their IP address.

Finally, the Java second stage code executed the malicious Python payload, using a Python interpreter included in the dropped files renamed to debug.exe. The Python scripts launched were a set of backdoors.

Malware analysis

The Python code in the winter.zip payload used  a lambda function (a short, anonymous throwaway function used in line with code) to obfuscate the rest of its script. That obfuscating lambda function matched  those  previously seen in FIN7-related Python malware loaders.

Two of the Python components (166_65.py and 45_237_80.py ) were copies of a publicly-available reverse SOCKS proxy called RPivot. Designed as a legitimate too for use by penetration testers, RPivot Each of these Python scripts used different IP addresses for their remote . These backdoors received commands from the remote connection over port 80.  Another script (37_44.py) was an RPivot script used to connect to a Tor relay.

Attribution

Sophos assesses with medium confidence that the Python malware used in this attack is connected to the threat actors behind FIN7/Sangria Tempest. The obfuscation method is identical to previous and FIN7 has been known to use the RPivot tool in attacks. However, we note that the obfuscation methods used are based on publicly available code, RPivot is also publicly available, and FIN7 has previously sold its tools to other cybercriminals.

STAC5777

As with STAC5143, a few individuals at targeted organizations have been bombarded with a massive amount of spam emails, followed by an inbound Microsoft Teams message from someone claiming to be with their internal IT team.

The Teams message—from the adversaries responsible for the spam messages— requested a Teams call to resolve the spam issues. But unlike the STAC5143 incidents we’ve observed, STAC5777 activity relied much more on “hands-on-keyboard” actions and scripted commands launched by the threat actors directly than STAC5143.

Initial access

In each of the incidents Sophos MDR documented, the adversary walked the user through the process of installing Microsoft Quick Assist over the Teams call. This was used to establish a remote session that gave the threat actor control over the targeted individual’s device.

One of the customer estates had Sophos Office 365 integration configured, which allowed MDR to confirm the actor used an Office365 account ‘helpdesk@llladminhlpll.onmicrosoft.com’ from  the IP address 78.46.67[.]201 to initiate these messages.

The threat actor walked the user through installing and executing the Microsoft remote access tool Quick Assist. The user was told to search for the application on the web, download it from the legitimate Microsoft website, and then launch it. They were then guided through granting the threat actor access to control the device remotely.

Figure 3: Microsoft Teams activity initiated by threat actor controlling an external M365 tenant 

Once in control of the device the actor leveraged a web browser to download the malicious payload. In one case, the payload was downloaded directly from the threat actor-controlled host. In the others, it was split into two payloads: kb641812-filter-pack-2024-1.dat and kb641812-filter-pack-2024-2.dat, subdomains of blob.core.windows[.]net (hosts associated with Microsoft Azure file storage services). They then combined the two .dat files into a named pack.zip and then decompressed that archive using the tar.exe archive utility.

This resulted in the creation of another archive file in the users’ AppData directory at OneDriveUpdateupd2836a.bkt The threat actor then decompressed that file with writing files into the same OneDriveUpdate folder:

• The legitimate, Microsoft-signed executable OneDriveStandaloneUpdaexe
• Unsigned DLLs from the OpenSSL Toolkit (libcrypto-3-x64.dll and libssl-3-x64.dll), loaded by the OneDriveStandaloneUpdater executable
• A legitimate, signed copy of vcruntime140.dll, a Microsoft library required by OneDriveStandaloneUpdater.exe
• An unknown DLL, winhttp.dll
• A file named settingsbackup.dat

SophosLabs analyzed winhttp.dll and confirmed to be malicious. It had fake version metadata from a legitimate ESET file and had been renamed so it would be side-loaded into memory by the legitimate executable due to DLL search order hijacking. The DLL was capable of collecting:

• System and operating system details
• Configuration information
• User credentials
• Keystroke the Windows API functions GetKeyboardState, GetKeyState, and get_KeySize.

SophosLabs could not determine the exact nature of the file settingsbackup.dat,’ but we believe it be an encrypted payload read by the process running the side-loaded DLL and used as a 2^nd stage loader.

Once the files had been placed onto the impacted host, Sophos MDR observed the threat actor opening a command prompt and making the following Windows registry change with the reg.exe utility:

reg add "HKLMSOFTWARETitanPlus" /v 1 /t REG_SZ /d "185.190.251.16:443;207.90.238.52:443;89.185.80.86:443" /f

The registry key entries provided the IP addresses used for the command-and-control connections made by the malicious winhttp.dll code.

Persistence

After making other configuration changes manually via a command shell over the Quick Assist connection and the initial execution of the legitimate ‘OneDriveStandaloneUpdater.exe’ binary, the attacker then executed a PowerShell command to create a service to automatically run the exploited executable. The PowerShell command also created a .lnk file for the executable in the devices’ startup items folder to maintain persistence through reboot.

Execution

When executed, onedrivestandaloneupdate.exe side-loaded winhttp.dll, a loader carrying a backdoor. The loader read configuration information that had been entered by the attacker, including a file named settingsbackup.dat, and reached out to multiple IP addresses that had been added to the system’s configuration manually by the threat actor.

Initial Quick Access activity

Command and Control

Using the unsigned OpenSSL toolkit drivers, the OneDriveStandaloneUpdate process made encrypted command-and-control connections to a set of remote hosts. The IP addresses of the hosts included a virtual private server operated by a hosting company used in the past by Russia-based threat actors.

Initial execution of OneDriveStandaloneUpdater.exe connecting to C2 IP addresses

Discovery

Once the C2 channel was established, the Sophos MDR team observed the OneDriveStandaloneUpdater.exe process conducting scanning with the SMB protocol to map online hosts within the customers’ environment.  The threat actor also scanned for Remote Desktop Protocol and Windows Remote Management (WinRM) hosts that the targeted user’s credentials could be used to connect to within the network.

Lateral Movement

Using the targeted user’s credentials, the threat actor made efforts to expand access beyond the initially compromised system, looking for domain access that could be elevated to move to other hosts. At one organization, they used a targeted individual’s domain credentials to connect to the organization’s VPN from outside the network and then to log into RDP hosts within the network. At another organization , they used Windows Remote Management (WinRM) to perform lateral movement.

Defense Evasion

In one incident, Sophos MDR observed the threat actor using the backdoor to uninstall local multifactor authentication integration on the target device. In another, the threat actor unsuccessfully attempted to uninstall the Sophos Endpoint Agent—an action blocked by Sophos’ tamper protection.

Credential gathering and data exfiltration

Prior to containment, Sophos MDR also observed the actor accessing files locally via notepad.exe and Word that contained the word ‘password’ in the name of the document.

In one case, the threat actors used the utility mstsc.exe to access two Remote Desktop Protocol (.rdp) files to view and edit their configuration data, looking for potential credential storage.

Sophos MDR also observed the threat actors accessing a network diagram for one targeted organization drawn in Visio, most likely to plan further lateral movement and impact phases of the attack.

Impact

In one case found in a threat hunt across all Sophos MDR customers, the threat actors attempted to execute Black Basta ransomware. This was blocked by Sophos endpoint protection.

Conclusions

Sophos has deployed detections for the malware used in these campaigns including:

• STAC5143: ATK/RPivot-B, Python/Kryptic.IV, heuristic detection of Python malicious use of operating system libraries
• STAC5777: Troj/Loader-DV for STAC5777’s winhttp.dll

However, organizations should take further steps to prevent attacks based on these tactics. First, unless absolutely necessary, organizations should ensure that their O365 service provisions restrict Teams calls from outside organizations or restrict that capability to trusted business partners. Additionally, remote access applications such as Quick Assist should be restricted by policy unless they are specifically used by the organization’s technical support team. Sophos can block unwanted execution of Quick Assist through application control settings in endpoint protection.

Sophos strongly recommends use of Microsoft Office 365 integration with the security environment for monitoring of sources of potentially malicious inbound Teams or Outlook traffic.

Organizations should also raise employee awareness of these types of tactics—these aren’t the types of things that are usually covered in anti-phishing training. Employees should be aware of who their actual technical support team is and be mindful of tactics intended to create a sense of urgency that these sorts of social-engineering driven attacks depend upon.

A list of indicators of compromise for these campaigns is available on the Sophos GitHub repository.