Skip to content

Hackers leverage Microsoft Office 365 to deploy ransomware, steal data

  • by
  • 3 min read

Cybercriminals exploit vulnerabilities in Microsoft Office 365 and Teams configurations to breach organisational defences, targeting users with sophisticated social engineering attacks involving email bombing, fake tech support messages, and malware deployment. These coordinated efforts, linked to two distinct threat clusters known as STAC5143 and STAC5777, aim to steal sensitive data, gain authorised access, and sometimes deploy ransomware.

The attack leverages default settings in Microsoft Teams to impersonate IT support, tricking users into granting remote access and installing malicious software.

The activity was detected between November and December 2024, when multiple organisations reported unusual incidents. Attackers exploited Microsoft Teams’ configuration, which allows external users to initiate chats or meetings, using this feature as a gateway into internal systems. Over 15 incidents have been documented, signalling a growing trend in such tactics.

As researchers discovered, one group (STAC5143) used Java-based tools and Python malware delivered through external links. Their approach involved sophisticated obfuscation techniques and command-and-control channels established through VPNs hosted in multiple countries.

Another group (STAC5777) adopted a more direct approach, leveraging Microsoft Outlook Assist to establish remote access. They utilised malicious DLL files for persistence, conducted lateral movements via RDP and Windows Remote Management, and attempted to deploy ransomware.

Experts observed that threat actors manipulated user credentials and accessed sensitive network diagrams in some cases, likely to prepare for further breaches.

Malware analysis revealed a variety of advanced tactics, including PowerShell script exploitation, DLL side-loading, and registry modifications to maintain access and control. Attackers used tools such as Python-baed backdoors and encrypted command channels to communicate with remote servers, underscoring the technical sophistication of their operations.

Researchers have advised organisations to restrict external communications on Microsoft Teams, limit the use of remote access tools, and implement robust monitoring systems to detect unusual activities. Employee awareness campaigns to identify and mitigate social engineering attempts can further strengthen defences.

“Sophos strongly recommends the use of Microsoft Office 365 integration with the security environment for monitoring of sources of potentially malicious inbound Teams or Outlook traffic,” researchers concluded. “Organisations should also raise employee awareness of these types of tactics—these aren’t the types of things that are usually covered in anti-phishing training. Employees should be aware of who their actual technical support team is and be mindful of tactics intended to create a sense of urgency that these sorts of social-engineering driven attacks depend upon.”

In the News: InvisibleFerret malware uses fake interview to attack users

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>