Sophos X-Ops’ Managed Detection and Response (MDR) is actively responding to incidents tied to two separate groups of threat actors, each utilizing Microsoft’s Office 365 platform to infiltrate targeted organizations with the intention of stealing data and deploying ransomware. Sophos MDR began investigating these activities in response to customer incidents in November and December 2024, tracking the threats as STAC5143 and STAC5777. Both groups operated their own Microsoft Office 365 service tenants and exploited a default Microsoft Teams configuration that allows external users to initiate chats or meetings with internal users.
1. The Threat Landscape
STAC5777 has been linked to a group previously identified by Microsoft as Storm-1811, while STAC5143 is a new threat cluster mimicking Storm-1811’s tactics, potentially connected to the known threat actor FIN7, also known as Sangria Tempest or Carbon Spider. Sophos MDR has published detailed reports on these threat clusters to help defenders detect and block ongoing threats and to raise awareness among Office 365 users. Over the past three months, Sophos MDR has observed more than 15 incidents involving these tactics, with half of them occurring in the past two weeks.
2. Common Tactics
The threat actors employed several common tactics, including “email bombing,” where victims receive high volumes of spam emails to create a sense of urgency, followed by Teams messages and calls from adversary-controlled Office 365 instances posing as tech support. The adversaries also used Microsoft remote control tools like Quick Assist or Teams screen sharing to take control of targeted computers and install malware.
3. STAC5143 Techniques
STAC5143 utilized built-in remote control in Teams, deploying a Java Archive (JAR) and Java runtime to automate victim exploitation. Their approach involved extracting Python-based backdoors from a .zip file downloaded from a remote SharePoint link and employing techniques linked to FIN7. They executed the JAR file from a command shell opened during a remote session and used PowerShell commands to download and deploy additional malware.
4. Detailed Attack Chain
The initial access was achieved through a large volume of spam messages, followed by a Teams call from an account named “Help Desk Manager,” which did not raise suspicion due to the organization’s use of managed IT services. During the call, the threat actor initiated a remote screen control session, allowing them to drop and execute malware. This included Java-based proxies and Python-based backdoors, enabling further system exploitation and data exfiltration.
5. STAC5777 Techniques
STAC5777 displayed similarities to STAC5143, but their tactics involved more direct “hands-on-keyboard” actions. Initial access involved overwhelming victims with spam emails followed by a Teams message from an “internal IT” figure. The actors then instructed users to install Microsoft Quick Assist to establish remote control. Once in control, they downloaded malicious payloads, combined, and extracted them, ultimately deploying a malicious DLL with legitimate Microsoft executables to collect system and user data.
6. Discovery and Persistence
Once the actors had control, they leveraged tools like whoami.exe, net.exe, and nltest.exe to gather system and network information. In STAC5143’s case, an additional Java payload executed Python malware, which created reverse SOCKS proxies for remote access. STAC5777, meanwhile, used Quick Assist to run a series of configuration changes and created persistence through scheduled tasks and startup items.
7. Command and Control
Both threat clusters established command and control channels to communicate with remote servers. STAC5143 used ProtonVPN to sideload malicious DLLs and connect to servers hosted in various countries. STAC5777 used the OneDriveStandaloneUpdater process to establish encrypted connections, scanning the target’s network for further exploitation and lateral movement.
8. Impact and Data Exfiltration
The ultimate goal of both threat actors was ransomware deployment and data theft. At least one incident linked to STAC5777 involved an attempt to execute Black Basta ransomware, which was blocked by Sophos endpoint protection. The actors also engaged in data exfiltration by searching for credentials and network diagrams.
9. Conclusion
Sophos X-Ops’ Managed Detection and Response (MDR) team is actively addressing incidents linked to two distinct groups of cybercriminals. These threat actors are using Microsoft’s Office 365 platform to penetrate targeted organizations, with the aim of stealing data and implementing ransomware attacks. In November and December 2024, Sophos MDR began probing these malicious activities as a result of customer reports. The threats have been cataloged as STAC5143 and STAC5777. Both groups operate their own Microsoft Office 365 service tenants, exploiting a default feature in Microsoft Teams that permits external users to start chats or meetings with internal users. This vulnerability in Teams’ configuration is being leveraged to breach organizational defenses. Sophos MDR’s ongoing investigation highlights the sophistication of these groups and their methods. They continuously adapt to exploit existing software configurations, making it crucial for organizations to reassess their security measures to safeguard sensitive data.
