Lessons from ransomware gangs exploiting Microsoft Teams

What happened

Cybercriminals are using Microsoft Teams and phishing tactics to break into company systems. Researchers from Sophos found that hackers linked to Black Basta ransomware are pretending to be IT support on Microsoft Teams calls. They take advantage of Teams' settings, which often allow communication from outside sources, to trick employees into giving them remote access. The attackers send spam to distract victims and then make fake support calls from compromised Office 365 accounts. Once they get access, they install harmful files disguised as legitimate tools to stay in control of the system.

Going deeper

• Email bombing: In one documented operation (STAC5143), attackers unleashed 3,000 emails over 45 minutes, overwhelming victims with spam and reducing their capacity to scrutinize incoming messages.
• Teams impersonation: After the email barrage, victims received a Microsoft Teams call from a fake “Help Desk Manager.” Believing the call was legitimate, they unknowingly granted remote access, enabling the attackers to install malicious software and create backdoors.
• Legitimate-looking tools: The hackers cleverly disguised harmful files as trusted software, allowing them to record keystrokes, steal credentials, and scan networks undetected.
• Multi-stage tactics: In another campaign (STAC5777), the attackers spammed victims before posing as IT support on Teams. They convinced targets to install Microsoft Quick Assist, thereby gaining direct access and, once inside, searched for passwords, examined remote desktop protocol files, and expanded their reach into the broader network.

The potential risks of these infiltration techniques

• Trust exploitation: Collaboration platforms like Microsoft Teams thrive on trust and convenience. When attackers infiltrate these communication channels, employees may mistakenly believe they are interacting with legitimate colleagues or IT support, dramatically lowering their guard.
• Data exfiltration and credential harvesting: Retrieving files containing the word "password" and scanning remote desktop protocol (RDP) configurations allows attackers to compile a wealth of login credentials. It puts every connected system at risk and may enable lateral movement across the network.
• Disruption of business operations: Once entrenched, ransomware groups can encrypt data, hold entire systems hostage, or even exfiltrate sensitive information for double extortion. These actions can lead to operational downtime, revenue loss, and reputational damage.
• Multi-level psychological manipulation: Sending thousands of emails in a short time frame overwhelms victims, making them more susceptible to social engineering. When combined with fake Teams calls and impersonations, attackers exploit both technical and human vulnerabilities.

Lessons from these infiltration tactics

• Question default collaboration settings: Organizations should reevaluate default Teams configurations allowing external communications. Restricting or moderating outside domain access can reduce the attack surface.
• Promote a zero-trust mindset: Employees must adopt a healthy skepticism toward unsolicited communications—even from seemingly familiar platforms. Regularly remind staff that legitimate IT support rarely appears unannounced, especially with urgent requests to install software.
• Elevate security awareness training: Traditional phishing education is no longer enough. Modern programs should address multi-stage attacks, illustrating how email bombing, urgent requests, and realistic impersonations work together to deceive. 
• Implement layered access controls: Multi-factor authentication (MFA), endpoint monitoring, and intrusion detection systems can help catch anomalies—like unauthorized logins or unusual data transfers—before severe damage occurs.
• Strengthen incident response protocols: Rapid response can make the difference between a minor breach and a full-blown ransomware crisis. Comprehensive playbooks, routine drills, and a cross-functional response team ensure organizations can react effectively under pressure.
• Continuous monitoring and threat hunting: Proactive measures such as network scans, log analysis, and threat intelligence feeds help identify suspicious activity early. Detecting anomalies quickly enables security teams to disrupt attacks before systems are compromised.

The big picture

These campaigns demonstrate how attackers repurpose everyday tools for malicious purposes. Subverting trust in platforms like Microsoft Teams allows them to bypass traditional email gateways and filters. As organizations increasingly rely on remote collaboration, the attack surface grows, making it necessary to question default configurations and continuously educate end users. Even the most sophisticated technical defenses can be compromised by a single misguided click, indicating that cybersecurity is ultimately a shared responsibility across every department.

FAQs

What are external domains in Microsoft Teams?

External domains enable communication between people outside your organization and internal Teams accounts. While this feature is enabled by default for convenient collaboration, it can be exploited by attackers posing as legitimate contacts or service providers.

Why do attackers prefer communication platforms like Teams over standard email?

Many organizations focus their security efforts on email-based phishing. Teams and similar platforms are often considered “safe zones,” leading employees to trust messages more readily and increasing the likelihood of successful social engineering attacks.

What’s different about multi-stage social engineering?

In multi-stage attacks, criminals strategically combine email spamming, impersonation, and legitimate-seeming tools to deceive victims into trusting their authenticity. Orchestrating multiple touchpoints creates a sense of urgency and familiarity, increasing employees' vulnerability.

How can I protect my organization from such threats?

• Restrict external domain access and review default Teams settings.
• Educate staff about new phishing tactics, including impersonation on collaboration tools.
• Implement multi-factor authentication and endpoint monitoring to detect anomalous activity.
• Develop and test an incident response plan to quickly contain breaches.