Sophos has identified two ransomware groups, STAC5143 and STAC5777, exploiting default configurations in Microsoft 365 services, particularly Microsoft Teams, to gain initial access to corporate networks. Over the past three months, these groups conducted at least 15 attacks by initiating chats and meetings with internal users, impersonating tech support, and requesting remote screen control. Once granted access, they executed commands to deploy malware, including backdoors, facilitating further network compromise. Sophos notes that STAC5143’s tactics resemble those of the FIN7 group, while STAC5777 employs similar social engineering strategies. Organizations are advised to review and adjust Microsoft Teams configurations to prevent external users from initiating contact and to educate employees on recognizing and reporting phishing attempts.
https://www.securityweek.com/ransomware-groups-abuse-microsoft-services-for-initial-access/
