Ransomware groups have evolved their tactics, combining email bombing with fraudulent Microsoft Teams support calls to compromise corporate networks. This sophisticated approach has been observed in attacks linked to the Black Basta ransomware group and potentially FIN7-associated actors.

Attack Methodology:
– Threat actors flood target inboxes with thousands of spam emails
– Attackers pose as IT support through Microsoft Teams calls
– Exploitation of default Teams settings allowing external communications
– Use of remote control tools like Quick Assist to gain system access

Two Notable Campaign Groups:

STAC5143 Campaign:
– Sends 3,000 emails within 45 minutes
– Deploys malicious JAR files and Python scripts
– Uses ProtonVPN executable for DLL side-loading
– Implements RPivot for command tunneling
– Possible FIN7 connection due to similar tools and techniques

STAC5777 Campaign:
– Connected to Black Basta ransomware operations
– Utilizes Microsoft Quick Assist for system access
– Deploys malware through Azure Blob Storage
– Side-loads malicious DLL into legitimate Microsoft processes
– Focuses on credential harvesting and network reconnaissance

Recommended Security Measures:
– Block external domain access in Microsoft Teams
– Disable Quick Assist in critical environments
– Implement strict access controls
– Monitor for suspicious remote access attempts

These attacks highlight the increasing sophistication of ransomware operations and the need for enhanced security protocols in corporate environments.