Russian cybercriminals are increasingly posing as tech support agents on Microsoft Teams to trick employees into installing ransomware on company networks.
Sophos, a British cybersecurity firm, has observed more than 15 incidents where two separate groups exploited Microsoft Office 365's default settings to launch social engineering attacks.
One group aligns with Storm-1811, previously identified by Microsoft, while the other mimics their methods and may be linked to the FIN7 cybercrime group.
In these incidents, attackers used both voice and video Teams calls, pretending to be IT support staff, usually reaching out when victims were already overwhelmed - such as during a sudden influx of emails or on busy workdays. The targets often believed these calls were legitimate because of reliance on outsourced IT services, causing them to lower their guard.
Once contact was made, the attackers often shared links via Teams chat and used legitimate tools like Microsoft QuickAssist or Teams' screen-sharing feature to gain remote control.
With remote access, hackers dropped files like Java archives and Python code, using obfuscation techniques.
Attackers sometimes used a more direct, hands-on approach, launching scripted commands after getting inside the target's system, which matches previously reported behaviors linked to Storm-1811.
In one U.S. Election Day case, attackers exploited the chaos to convince a remote employee to grant access, leading to data exfiltration and attempted ransomware deployment.
Source: https://therecord.media/fake-tech-support-russian-hackers-microsoft-teams
Commentary
The best way to prevent falling victim to scams described above is by maintaining a healthy skepticism toward unsolicited tech support contacts, especially those that occur during periods of high activity or chaos when vigilance may lapse.
Staff should never grant remote access or download software from links provided in chats or calls unless the support interaction has been confirmed directly by the organization's IT team using known procedures.
Moreover, it is crucial to verify every request for remote control, screen sharing, or the installation of troubleshooting tools through secure internal channels before proceeding.
Employees should regularly review and adhere to company policies regarding external communications and permissible remote access applications, understanding that reputable IT support will never rush or pressure anyone into bypassing established security practices.
Any suspicious interaction, particularly one that requests access outside typical business processes or involves unfamiliar contacts or links, should be reported immediately to internal IT or security teams.
By fostering awareness, following strict verification procedures, and never relinquishing control without proper authorization, staff can help prevent ransomware and data theft attempts carried out through impersonation and social engineering.
