Hackers are using Microsoft Teams to conduct “email bombing” attacks
Experts told ITPro that tactics like this are on the rise, and employees must be trained effectively


Threat actors are posing as tech support workers to launch attacks through Microsoft Teams, according to a report from Sophos.
The firm is tracking two threats dubbed STAC5143 and STAC5777, having first begun investigating clusters of activity in November and December 2024. Both threat actors used their own Microsoft 365 tenants as part of their attacks.
Attackers took advantage of a default Microsoft Teams configuration that allows users on external domains to start chats or meetings with internal users, Sophos said.
While STAC5143 is a previously unreported threat, STAC5777 has been identified by Microsoft as Storm-1811. STAC5143 may have connections to a threat actor known also as FIN7, Sangria Tempest, or Carbon Spider.
‘We are publishing this in-depth report on both threat clusters to aid defenders in detecting and blocking these continuing threats, and to raise awareness of the spread of these tactics among organizations using the Office 365 platform,” Sophos MDR said.
The firm claims to have observed over 15 incidents involving these tactics over the past three months, with half conducted in the past two weeks.
"Email bombing is not a new technique, but it is an effective technique that has been on the rise due to the increase in free mail bombing tools and mail bombing services that will sign up users to a long list of free email subscriptions for a price,” Chance Caldwell, Senior Director at Cofense, told ITPro.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
“These spamming techniques are used in a wide array of attacks with varying objectives, but they are all trying to obscure their activity by hiding behind the hundreds if not thousands of emails being sent to the user,” he added.
How can businesses be prepared?
These attacks are difficult to spot, Caldwell said, as traditional security tools do not recognize the spam emails being sent. On the other hand, blocking emails at a large scale could lead to legitimate emails being impacted.
RELATED WHITEPAPER
“Employees should be taught the proper communication methods with their company's internal help desk or security teams to ensure that they do not fall for a threat actor's attempts to engage with them under the pretense of providing tech support," Caldwell said.
Organizations should also ensure employees know which Remote Access Tools their organization uses, according to Max Gannon, Intelligence Manager at Cofense.
“Simply creating a list of approved tools and ensuring employees know what is on it can help defend against attacks such as these," Gannon told ITPro.
George Fitzmaurice is a former Staff Writer at ITPro and ChannelPro, with a particular interest in AI regulation, data legislation, and market development. After graduating from the University of Oxford with a degree in English Language and Literature, he undertook an internship at the New Statesman before starting at ITPro. Outside of the office, George is both an aspiring musician and an avid reader.
-
Security experts issue warning over the rise of 'gray bot' AI web scrapers
News While not malicious, the bots can overwhelm web applications in a way similar to bad actors
By Jane McCallion Published
-
Does speech recognition have a future in business tech?
Once a simple tool for dictation, speech recognition is being revolutionized by AI to improve customer experiences and drive inclusivity in the workforce
By Jonathan Weinberg Published
-
Healthcare organizations need to shake up email security practices
News Microsoft 365 is the source of almost half of all healthcare email breaches, thanks mainly to misconfigurations in security settings.
By Emma Woollacott Published
-
So long, Defender VPN: Microsoft is scrapping the free-to-use privacy tool over low uptake
News Defender VPN, Microsoft's free virtual private network, is set for the scrapheap, so you might want to think about alternative services.
By Nicole Kobie Published
-
Hackers are on a huge Microsoft 365 password spraying spree – here’s what you need to know
News A botnet made up of 130,000 compromised devices has been conducting a huge password spraying campaign targeting Microsoft 365 accounts.
By Solomon Klappholz Published
-
Everything you need to know about the Microsoft Power Pages vulnerability
News A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
By Solomon Klappholz Published
-
Microsoft is increasing payouts for its Copilot bug bounty program
News Microsoft has expanded the bug bounty program for its Copilot lineup, boosting payouts and adding coverage of WhatsApp and Telegram tools.
By Nicole Kobie Published
-
Hackers are using this new phishing technique to bypass MFA
News Microsoft has warned that a threat group known as Storm-2372 has altered its tactics using a specific ‘device code phishing’ technique to bypass MFA and steal access tokens.
By Solomon Klappholz Published
-
A new phishing campaign is exploiting Microsoft’s legacy ADFS identity solution to steal credentials and bypass MFA
News Researchers at Abnormal Security have warned of a new phishing campaign targeting Microsoft's Active Directory Federation Services (ADFS) secure access system.
By Solomon Klappholz Published
-
Microsoft files suit against threat actors abusing AI services
News Cyber criminals are accused of using stolen credentials for an illegal hacking as a service operation
By Solomon Klappholz Published