SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Asia
Guides
#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware
Search
Story image
#
Data Protection
#
Ransomware
#
Cybersecurity

Sophos warns of rising threats exploiting Office 365 tools

Today
Author image
By Kaleah Salmon, Journalist

Researchers at Sophos X-Ops have identified two active threat campaigns targeting organisations by exploiting the Microsoft Office 365 platform and remote management tools to steal data and deploy ransomware.

According to the cybersecurity firm, Sophos Managed Detection and Response (MDR) has detected over 15 incidents linked to these tactics in the last three months, with a notable surge in activity in the past two weeks.

The threat groups involved use a common set of tactics. They start by targeting specific employees within companies that use Microsoft Teams. They then inundate these employees with excessive spam emails, employing a technique known as email-bombing, before initiating follow-up contact via voice and video calls through Microsoft Teams. These calls often claim to offer assistance in resolving the spam issue.

Once trust is established with the recipients, attackers leverage tools like Quick Assist or Microsoft Teams screen sharing to take control of the targeted employee's computer, eventually deploying ransomware.

Sophos X-Ops has detected links between one of the threat actor groups and the Russian cybercriminal organisation Fin7. Another group involved is connected with the Russian group Storm-1811. In light of these findings, Sophos has decided to publish the research to aid organisations in defending against this escalating threat.

Sean Gallagher, Principal Threat Researcher at Sophos, commented on the tactics being employed, noting, "While exploitation of remote management tools and abuse of legitimate services are themselves not wholly new, we are seeing more and more threat groups adopt these tactics to target companies of all sizes."

"Microsoft Teams' default configuration allows individuals outside an organisation to chat with or call internal staff at a company, and attackers are abusing this feature. Since many companies use managed service providers for their IT support, receiving a Teams call from an unknown person that's labeled as 'Help Desk Manager' may not ring alarm bells, especially if it's combined with an overwhelming amount of spam email."

"As Sophos continues to see new MDR and IR cases associated with these tactics, we want companies using Microsoft 0365 to be on high alert. They should check company-wide configurations, block outside account messages if possible, and block remote access tools and remote machine management tools not regularly used by their organisations."

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Palo Alto unveils quantum random number generation API
Infoblox expands in NZ with senior appointments, new suite
FireMon study reveals trend towards AI in cybersecurity
Rimini Street releases new hypervisor security solution
New PhaaS kits boost phishing threats with advanced tools
Top stories
Google report reveals rising cloud data security threats
Tenable predicts cybersecurity trends shaping 2025 landscape
Guardz unveils new plan for enhanced cybersecurity services
AI reshapes cybersecurity, drives 2025 hyper-automation
KnowBe4 report links cyber insurance to security needs