Hackers are using Microsoft Teams to conduct “email bombing” attacks

News
By published

Experts told ITPro that tactics like this are on the rise, and employees must be trained effectively

Microsoft Teams app with logo and community section displayed on a laptop screen.
(Image credit: Getty Images)

Threat actors are posing as tech support workers to launch attacks through Microsoft Teams, according to a report from Sophos.

The firm is tracking two threats dubbed STAC5143 and STAC5777, having first begun investigating clusters of activity in November and December 2024. Both threat actors used their own Microsoft 365 tenants as part of their attacks.

Attackers took advantage of a default Microsoft Teams configuration that allows users on external domains to start chats or meetings with internal users, Sophos said.

While STAC5143 is a previously unreported threat, STAC5777 has been identified by Microsoft as Storm-1811. STAC5143 may have connections to a threat actor known also as FIN7, Sangria Tempest, or Carbon Spider.

‘We are publishing this in-depth report on both threat clusters to aid defenders in detecting and blocking these continuing threats, and to raise awareness of the spread of these tactics among organizations using the Office 365 platform,” Sophos MDR said.

The firm claims to have observed over 15 incidents involving these tactics over the past three months, with half conducted in the past two weeks.

"Email bombing is not a new technique, but it is an effective technique that has been on the rise due to the increase in free mail bombing tools and mail bombing services that will sign up users to a long list of free email subscriptions for a price,” Chance Caldwell, Senior Director at Cofense, told ITPro.

“These spamming techniques are used in a wide array of attacks with varying objectives, but they are all trying to obscure their activity by hiding behind the hundreds if not thousands of emails being sent to the user,” he added.

How can businesses be prepared?

These attacks are difficult to spot, Caldwell said, as traditional security tools do not recognize the spam emails being sent. On the other hand, blocking emails at a large scale could lead to legitimate emails being impacted.

RELATED WHITEPAPER

How to enable M365 Copilot for your organisation

(Image credit: CDW | Microsoft Copilot)

Migrate and optimize your IT environment

“Employees should be taught the proper communication methods with their company's internal help desk or security teams to ensure that they do not fall for a threat actor's attempts to engage with them under the pretense of providing tech support," Caldwell said.

Organizations should also ensure employees know which Remote Access Tools their organization uses, according to Max Gannon, Intelligence Manager at Cofense.

“Simply creating a list of approved tools and ensuring employees know what is on it can help defend against attacks such as these," Gannon told ITPro.

George Fitzmaurice
George Fitzmaurice
Staff Writer

George Fitzmaurice is a staff writer at ITPro, ChannelPro, and CloudPro, with a particular interest in AI regulation, data legislation, and market development. After graduating from the University of Oxford with a degree in English Language and Literature, he undertook an internship at the New Statesman before starting at ITPro. Outside of the office, George is both an aspiring musician and an avid reader.

More about cyber attacks
A CGI render of a warning symbol representing malware, sitting on an abstract computer surface. Decorative: the warning sign is glowing red and there is blue and yellow diffused light throughout.

What is an APT and how are they tracked?
Jeremy Fleming, former head of GCHQ, onstage with Haider Pasha, chief security officer, EMEA & LATAM at Palo Alto Networks at Ignite London 2025.

Businesses must get better at sharing cyber information, urges former GCHQ chief
An abstract image showing blocks of blue shiny material overlaid on one another to represent LQMs and AI.

What are large quantitative models (LQMs)?
See more latest
Most Popular
Red Ubuntu logo appearing on a web browser with a microscope over the logo, placing emphasis on it
Qualys discovers three bypasses of Ubuntu's unprivileged user namespace restrictions
Gold lock floating above a digitally rendered motherboard with blue and red glowing hues, denoting ransomware
Security researchers hack BlackLock ransomware gang in push back against rising threat actor
A busy customer service desk
Omnissa eyes growth with revamped partner program
Female software developer using AI coding tools on a desktop computer with light from screen reflecting in spectacles.
Developers spend 17 hours a week on security — but don't consider it a top priority
A close-up of a digital dashboard showing stock market graphs overlaid onto a world map.
Financial services firms look to AI to improve resilience
Male software engineer working on a laptop at a home office desk with two PC monitors sitting on top of desk.
‘This shift highlights not just a continuation but a broad acceptance of remote work as the norm’: Software engineers are sticking with remote work and refusing to budge on RTO mandates – and 21% would quit if forced back to the office
Ransomware concept image showing a warning symbol in red with binary code in background.
Healthcare systems are rife with exploits — and ransomware gangs have noticed
Application security concept image showing a digitized padlock placed upon a digital platform.
ESET looks to ‘empower’ partners with cybersecurity portfolio updates
Databricks logo and branding pictured on a MacBook Pro screen.
Databricks and Anthropic are teaming up on agentic AI development – here’s what it means for customers
Dell Technologies logo and branding pictured at the company's stall at Mobile World Congress (MWC) in Barcelona, Spain.
Scale of Dell job cuts laid bare as firm sheds 10% of staff in a year