Hackers are using Microsoft Teams to conduct “email bombing” attacks

News
By published

Experts told ITPro that tactics like this are on the rise, and employees must be trained effectively

Microsoft Teams app with logo and community section displayed on a laptop screen.
(Image credit: Getty Images)

Threat actors are posing as tech support workers to launch attacks through Microsoft Teams, according to a report from Sophos.

The firm is tracking two threats dubbed STAC5143 and STAC5777, having first begun investigating clusters of activity in November and December 2024. Both threat actors used their own Microsoft 365 tenants as part of their attacks.

Attackers took advantage of a default Microsoft Teams configuration that allows users on external domains to start chats or meetings with internal users, Sophos said.

While STAC5143 is a previously unreported threat, STAC5777 has been identified by Microsoft as Storm-1811. STAC5143 may have connections to a threat actor known also as FIN7, Sangria Tempest, or Carbon Spider.

‘We are publishing this in-depth report on both threat clusters to aid defenders in detecting and blocking these continuing threats, and to raise awareness of the spread of these tactics among organizations using the Office 365 platform,” Sophos MDR said.

The firm claims to have observed over 15 incidents involving these tactics over the past three months, with half conducted in the past two weeks.

"Email bombing is not a new technique, but it is an effective technique that has been on the rise due to the increase in free mail bombing tools and mail bombing services that will sign up users to a long list of free email subscriptions for a price,” Chance Caldwell, Senior Director at Cofense, told ITPro.

“These spamming techniques are used in a wide array of attacks with varying objectives, but they are all trying to obscure their activity by hiding behind the hundreds if not thousands of emails being sent to the user,” he added.

How can businesses be prepared?

These attacks are difficult to spot, Caldwell said, as traditional security tools do not recognize the spam emails being sent. On the other hand, blocking emails at a large scale could lead to legitimate emails being impacted.

RELATED WHITEPAPER

How to enable M365 Copilot for your organisation

(Image credit: CDW | Microsoft Copilot)

Migrate and optimize your IT environment

“Employees should be taught the proper communication methods with their company's internal help desk or security teams to ensure that they do not fall for a threat actor's attempts to engage with them under the pretense of providing tech support," Caldwell said.

Organizations should also ensure employees know which Remote Access Tools their organization uses, according to Max Gannon, Intelligence Manager at Cofense.

“Simply creating a list of approved tools and ensuring employees know what is on it can help defend against attacks such as these," Gannon told ITPro.

George Fitzmaurice
George Fitzmaurice
Staff Writer

George Fitzmaurice is a staff writer at ITPro, ChannelPro, and CloudPro, with a particular interest in AI regulation, data legislation, and market development. After graduating from the University of Oxford with a degree in English Language and Literature, he undertook an internship at the New Statesman before starting at ITPro. Outside of the office, George is both an aspiring musician and an avid reader.

More about cyber attacks
Neon lightning supported on a concrete wall

300 days under the radar: How Volt Typhoon eluded detection in the US electric grid for nearly a year
Computer code and text displayed on computer screens.

More than 300,000 US healthcare patients impacted in suspected Rhysida cyber attacks
UK Prime Minister Keir Starmer speaking during a Q&A session after delivering a speech on plans to reform the civil service, during a visit to Reckitt Benckiser Health Care UK.

Starmer bets big on AI to unlock public sector savings
See more latest
Most Popular
UK Prime Minister Keir Starmer speaking during a Q&A session after delivering a speech on plans to reform the civil service, during a visit to Reckitt Benckiser Health Care UK.
Starmer bets big on AI to unlock public sector savings
Ransomware concept image showing digitized padlock pictured on a laptop screen on red background
February was the worst month on record for ransomware attacks – and one threat group had a field day
Programming code and big data wave on a black background.
Open source security in the spotlight as UK gov publishes fresh guidance
Cartoon-style recruitment concept image showing male job candidate sitting across desk from female hiring manage during an interview.
Tech talent shortages mean firms are scrapping traditional recruitment strategies
Agentic AI concept image showing human brain split in two halves, with one side digitized on a grid pattern and the other illuminated in yellow with brainwaves emitting.
National Grid investment wing backs AI startups to boost energy efficiency
Layoffs concept image showing line of cartoon-style laid-off workers leaving an office space with belongings in cardboard boxes.
Laid-off workers are ditching full-time work: 70% of staff caught up in brutal layoffs opted for part-time roles and freelance gigs – and flexibility was the big appeal for many
Agentic AI concept image showing a digitized human brain in purple color with interconnected data points.
AI is now vital to MSP growth, but adoption challenges could hamper success
UK map concept art showing digitized UK landmass outline in blue.
UK firms are pulling ahead of EU competitors in the AI race – here's why
Microsoft CEO Satya Nadella speaking on stage during an event at the Microsoft campus in Redmond, Washington, US.
‘The entire forecasting business process changed’: Microsoft CEO Satya Nadella says Excel changed the game for enterprises in 1985 – he’s confident AI tools will do the same
Medusa statue bust on white background
CISA issues warning over Medusa ransomware after 300 victims from critical sectors impacted