Russian Ransomware Hackers Impersonate IT Support on Microsoft Teams

Russian cybercriminals are increasingly posing as tech support staff on Microsoft Teams to infiltrate corporate networks and deploy ransomware, British cybersecurity firm Sophos has revealed.

 

Sophos has identified more than 15 incidents where attackers exploited Microsoft Office 365’s default settings to impersonate IT professionals. The attackers used the Teams platform to socially engineer their way into systems, relying on voice or video calls to trick employees into granting remote access.

 

Two groups are behind the attacks, according to Sophos. One aligns with Storm-1811, a group previously flagged by Microsoft for similar scams. The other imitates Storm-1811’s methods and has potential ties to the infamous FIN7 cybercrime group.

 

Sean Gallagher, a principal threat researcher at Sophos X-Ops, explained how victims were overwhelmed with phishing emails before receiving a Teams call from someone claiming to be their IT help desk. The attackers then used Microsoft tools, such as QuickAssist or Teams’ screen-sharing function, to gain control of victims’ devices.

 

Gallagher highlighted the success of these scams, particularly in organisations outsourcing their IT support. "People don’t scrutinise who they’re talking to, especially when overwhelmed with emails," he said.

 

The attackers deployed malware via remote sessions, often using Python and Java tools with obfuscation methods linked to FIN7. While Sophos successfully thwarted most of the attacks, some incidents resulted in data exfiltration before intervention.

 

Sophos warns organisations to limit external access to Teams and restrict remote access tools by policy. These precautions, along with enhanced monitoring, are critical to counter such sophisticated social engineering attacks.

 

As ransomware gangs grow more innovative, experts stress vigilance and robust cyber defences to protect against these evolving threats.