- Sophos researchers said they saw two groups engaging in email bombing attacks.
- At least 15 organizations were attacked in the last three months
- The goal is to steal sensitive data and deploy ransomware.
At least two groups of threat actors are carrying out email bombing campaigns against numerous organizations in the West, attempting to steal their data and deploy ransomware.
Sophox X-Ops cybersecurity researchers have observed more than 15 such incidents in the last three months, half of which occurred in the last two weeks, suggesting that criminals are picking up the pace.
Email bombing is not a new tactic. It involves “bombarding” the victim with hundreds, if not thousands, of emails in a very short period of time, before the attackers contact the victims posing as an IT administrator or network support worker. .
russian hackers
The attackers reportedly communicate via Microsoft Teams or similar online collaboration tools and offer to resolve the issue. If the victim takes the bait, attackers would demand access to Quick Assist or Microsoft Teams screen sharing to take control of their targets’ computers. Once granted access, the attackers would deploy ransomware, the researchers said.
While Sophos
The second group is apparently linked to Storm-1811, another financially motivated cybercriminal group. This collective is known for deploying Black Basta ransomware through sophisticated social engineering attacks, and has been observed posing as IT personnel in the past.
For Sean Gallagher, principal threat researcher at Sophos, the key to the problem lies in the fact that the default Teams configuration allows people outside of an organization to chat or call a company’s internal staff.
“Since many companies use managed service providers for their IT support, receiving a Teams call from an unknown person labeled ‘Help Desk Administrator’ may not raise alarm bells, especially if combined with an overwhelming number of spam,” Gallagher said.
“As Sophos continues to see new cases of MDR and IR associated with these tactics, we want companies using Microsoft 365 to be on high alert. They should check company-wide configurations, block messages from external accounts if possible, and block remote access tools and remote machine management tools that their organizations do not use regularly.”
