Sophos has identified two campaigns conducted by the groups STAC5143 and STAC5777, leveraging Microsoft Teams to infiltrate organizations for data theft and ransomware distribution.
Sophos initiated its investigation of these incidents in November and December 2024. Both groups utilize their own Microsoft Office 365 accounts to prepare their attacks, exploiting default Teams settings that permit external users to contact employees within targeted organizations.
STAC5143 and STAC5777 employ similar tactics. The attack begins with a large-scale spam campaign—sending up to 3,000 emails per hour—to overwhelm employees’ inboxes and create a false sense of urgency. Following this, the attackers initiate contact through Teams, impersonating IT support personnel and persuading victims to grant access to their devices.
Once access is obtained, the hackers deploy malware using legitimate Microsoft services such as Quick Assist and Teams. By leveraging employee accounts, the attackers gain entry to additional systems through VPN, RDP, and Windows Remote Management.
STAC5143 focuses on automation, utilizing Java Archives (JAR), Python scripts, and remote resources like SharePoint to deliver backdoors. In one attack, JAR files were identified extracting archives containing malicious code and executing commands via PowerShell, effectively bypassing Windows’ standard security mechanisms.
In contrast, STAC5777 relies on manual techniques. Cybercriminals use Quick Assist to gain device access and then manually install malware. The group has been linked to the Black Basta ransomware, which was successfully blocked during one of the incidents.
Sophos warns that the use of Microsoft Teams and other services poses a security risk in the absence of proper configuration. To safeguard against such threats, organizations are advised to:
- Restrict the ability to connect to Teams from external domains.
- Disable the use of Quick Assist unless explicitly required by company policy.
- Integrate Office 365 with a security monitoring system.
- Train employees to increase awareness of potential threats.
These cyberattacks highlight how threat actors adapt their strategies by exploiting legitimate services to compromise systems. Sophos continues to analyze the activities of STAC5143 and STAC5777, urging all organizations to implement additional security measures proactively.
