Next time IT wants to help you with a spam problem, ask for some ID.
Sophos researchers this month reported how threats actors are targeting orgs with tons of emails, and then posing as tech support on Microsoft Teams to solve the problem.
The cybersecurity company, in its recent post, said its detection team “observed more than 15 incidents involving these tactics in the past three months, with half of them in the past two weeks.”
“If you’re using one of the security-training vendors, this isn’t in their usual card deck,” Sean Gallagher, principal threat researcher for Sophos X-Ops said of the threat he called “highly active.”
Observed tactics shared by Sophos included email bombing and social-engineering impersonation through legitimate services in Microsoft’s Office 365 platform:
- In one case: a Sophos user received a lot of emails (over 3,000 in 45 minutes, according to the report).
- Using a realistic enough Teams account name of “Help Desk Manager,” the threat actor tricked the user into installing the screensharing Microsoft Quick Assist tool and establishing a remote session “that gave the threat actor control over the targeted individual’s device.”
Malicious payloads in attacks of this nature included credentials stealers, network discovery, and in one case, ransomware.
In June, Microsoft alerted customers to a threat group using Teams to send messages and initiate calls impersonating IT and help desk.
The same month, CISA warned the public to beware of agency impersonators. An FTC report released in May 2024 claimed 52,0000 instances of Best Buy/Geek Squad fraudsters in 2023, leading to $15 million in losses. (One example cited by the commission included phony renewal requests for hundreds of dollars.) The FTC also saw at least 7,000 cases of Microsoft scammers (considered tech-support scams by the commission), leading to $60 million in losses.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
“Lots of organizations have used posing as IT as a way to get in the door. Coupling it with email bombing is a new thing,” Gallagher said, adding that the attack works because a person prevented from doing their job is then confronted with someone seemingly of authority who responds to the problem quickly.
Tina Eide, EVP of global fraud at American Express, sees human-to-human hacking improving as organizations upgrade their anomaly monitoring
“I would say social engineering has become very prevalent, leveraging the customer and reaching out to the customer and almost getting them involved unknowingly is really a trend at the moment,” Eide told us in December.
Sophos provided recommendations to guard against the tactic, like configuring 365 provisions to restrict Teams calls from outside organizations, or keep permissions to trusted partners.
Gallagher says IT pros need to establish clear answers for employees on questions like “Whom should employees contact when they have a problem?” and “What will be the approved channel for conversation?”
“People should know who their IT team is,” he told us.