Cyber Threat Alert: Sophisticated Social Engineering Attacks Leverage Legitimate Microsoft Tools and Services to Deploy Ransomware

A very successful phishing campaign has been identified. While the techniques have been used since 2024, the threat actors have ramped up their campaigns impact a number of organizations. The campaign begins with email bombing to overwhelm the organization’s user base followed by Teams based phishing posing as the service desk leading to account compromise. Cybersecurity reports from Microsoft and Sophos have highlighted the sophisticated social engineering attacks which also include the use of legitimate Microsoft tools and services to deploy ransomware. 

This article defines the threat, gives recommendations to organizations who want to mitigate it, and provides expert advice from Echelon’s team of ethical hackers. 

Phishing Campaigns via Email Bombing and Microsoft Teams Vishing 

In January 2025, Sophos' Managed Detection and Response (MDR) team identified two distinct threat clusters, STAC5143 and STAC5777, employing advanced tactics to infiltrate organizations, including: 

• Email Bombing: Attackers inundate targeted individuals' Outlook inboxes with thousands of spam emails in a short period, creating a sense of urgency and overwhelming their capacity to manage communications.
• Microsoft Teams Vishing (Social Engineering): Following the email flood, attackers pose as IT support via Microsoft Teams messages or calls. Exploiting default configurations that allow external communications, they convince users to grant remote access through tools like Quick Assist or Teams' screen-sharing feature. 

Once access is secured, the attackers deploy malware to establish control, exfiltrate data, and in some cases, execute ransomware attacks. Notably, STAC5777 has been linked to the Storm-1811 group and has been observed deploying Black Basta ransomware.

Understanding STAC5143 

The STAC5143 campaign leverages Java Archive (JAR) files and Python-based backdoors to establish persistence on compromised devices. The group also uses RPivot, a reverse SOCKS proxy tool, to obfuscate their access around the network. Using a similar technique to the FIN7 cybercrime group, STAC5143 utilizes lambda functions for code obfuscation to establish C2 connections using port 80 to hide within normal HTTP traffic. 

Python code from an obfuscated copy of RPivot in the winter.zip archive (Source – Sophos). 

Understanding STAC5777 

 The STAC5777 campaign takes a different approach, using a legitimate Microsoft executable, OneDriveStandaloneUpdater.exe, to side-load a malicious DLL, winhttp.dll. The group then establishes C2 channels using an unsigned OpenSSL toolkit driver. Persistence is established by the group modifying the Windows registry by adding “HKLM\SOFTWARE\TitanPlus” that includes the C2 server addresses.  

STAC5777 also creates services and a .lnk file to assist with maintaining persistence on compromised devices. The group further attempts to uninstall security software and disable multifactor authentication (MFA) for compromised accounts. To facilitate lateral movement, the group conducts SMB scanning. 

Misuse of Microsoft Quick Assist 

Beginning in May 2024, Microsoft has been tracking threat actors, notably the group identified as Storm-1811 (linked to STAC5777), exploiting the Quick Assist feature—a remote assistance tool in Windows—to gain unauthorized access to user devices.  

These attackers impersonate trusted entities, such as Microsoft technical support or internal IT staff, to deceive users into granting remote access. Once access is obtained, they deploy malware like Qakbot, which can lead to ransomware infections, including the deployment of Black Basta ransomware.

 Threat Actor Objectives 

 During both campaigns, STAC5143 and STAC5777 have the following objectives: 

• Collect system and OS details
• Gather user credentials
• Log keystrokes using Windows API functions
• Perform network discovery and lateral movement
• Exfiltrate sensitive data
• Ransomware deployment

Recommendations for Organizations 

To mitigate these threats, organizations are advised to: 

• Restrict External Communications: Adjust Microsoft Teams settings to limit or prevent communications with external domains, reducing the risk of unsolicited contact from potential attackers.
• Disable Unnecessary Remote Assistance Tools: If Quick Assist is not essential, consider disabling it using tools like AppLocker to prevent its misuse.
• Enhance User Awareness: Educate employees about these attack vectors, emphasizing the importance of verifying unsolicited communications and being cautious when granting remote access to their devices. 

By implementing these measures, organizations can strengthen their defenses against these evolving social engineering attacks. 

Thoughts from an Offensive Security Professional  

- Kris Johnson, Senior Consultant Echelon Risk + Cyber 

This specific type of social engineering attack aligns with the fundamentals of social engineering: establishing a line of communication with the victim, creating a sense of urgency, compelling the victim to perform an action, and executing post-exploitation.  

In this scenario, we see the victim is first targeted with an email bombing attack. Shortly after, they receive a Microsoft Teams or phone call from the attacker, who says something along the lines of “I see you have received many spam emails in such a brief period. Let’s open Quick Assist, and I will take control to help stop the emails from coming in.”  

If the user falls victim to this, the implications – such as establishing command-and-control communications, sometimes leading to ransomware deployment – can be severe. 

Despite the malicious intent behind this attack, its fundamentals remain the same. For example, when I conduct ethical social engineering attacks, I call the user, introduce myself as an IT staff member, and inform them that recent companywide security updates have not been installed on their machine. I then provide a brief description of these “updates” and direct them to download them from a website designed to appear legitimate, complete with company branding. Once they run the updater, I have successfully established a connection to our command-and-control server.  

See how similar these attacks are? While the methods may differ, the fundamentals and outcomes remain the same. This demonstrates that social engineering does not fundamentally change – only scenarios do, adapting to exploit victims at the right moment.  

So why is it that social engineering is still effective year after year?  

The simple answer: a lack of user-awareness training. When companies invest in user-awareness training, the success rate of these attacks will go down significantly.