Intel Name: Two ransomware campaigns using “email bombing,” microsoft teams “vishing”
Date of Scan: January 22, 2025
Impact: High
Summary: Our team is actively responding to incidents involving two distinct threat actor groups leveraging Microsoft Office 365 to infiltrate organizations, likely aiming to steal data and deploy ransomware. Investigations into these clusters began following customer incidents in November and December 2024, with the threats tracked as STAC5143 and STAC5777. Both groups operated their own Office 365 tenants and exploited a default Microsoft Teams configuration allowing users from external domains to initiate chats or meetings with internal users.
