E-mail Bombing and Voice Phishing
Microsoft Teams as a Gateway
Sophos X-Ops has investigated an active threat campaign in which two different threat actor groups are infiltrating organizations. The cybercriminals are abusing the functionality of the Office 365 platform.
According to the experts at Sophos X-Ops, cyber criminals use a combination of email bombing with up to 3,000 messages in less than an hour and subsequent voice or video calls via Teams, also known as voice pishing or vishing.
After the first spam messages are sent, the attackers pretend to be technical support from the affected company, call via Teams and offer their "support" in solving the problem. If the employee answers the call and gives the criminals control of the computer using "Quick Assist" or Microsoft Teams screen sharing, the callers start rolling out the malware. As part of its investigations, Sophos X-Ops has uncovered links between the cybercriminals active in this campaign and the Russian threat groups "Fin7" and "Storm-1811".
Sean Gallagher, Principal Threat Researcher at Sophos, assesses the situation and offers advice to organizations: "While the exploitation of remote management tools and the abuse of legitimate services is not entirely new in itself, we are seeing more and more threat groups using these tactics to target organizations of all sizes. This is an active threat campaign that we continue to monitor closely. Since the default configuration of Microsoft Teams allows anyone with a Teams account to chat or call a company's employees, many organizations are potentially vulnerable to this threat. In addition, many companies use external providers for their IT support, so a call from a third-party number labeled 'helpdesk manager' doesn't necessarily ring alarm bells. As Sophos continues to see new MDR and IR cases related to these tactics, we advise organizations using Microsoft 365 to be on high alert. They should review configurations and block external account messages and remote access tools that are not regularly used where possible."
A detailed analysis of the attacks can be found in the blog article "Sophos MDR tracks two ransomware campaigns using email bombing and Microsoft Teams vishing".
You might also be interested in
Authorities, industry and IT targeted by cyber criminals
Authorities, industry and IT were most frequently targeted by cyber criminals in 2025. Authorities remained the main target of cyber attacks, as the latest report and situation report "Anatomy of a Cyber World: Global Report by Kaspersky Security...
read more...Post-quantum cryptography: time window is running out
Companies are facing a strategic dilemma: quantum computers will soon be able to crack today's encryption, while many organizations will need years to switch to new security standards. A recent survey shows: The window of opportunity is narrowing,...
read more...IEC 62443-4-1 ML2 confirmed for Microchip
Microchip Technology has been certified by UL Solutions according to IEC 62443-4-1 Maturity Level 2 (ML2). The certification confirms secure development processes for automation and control systems and strengthens the cyber security guarantee for...
read more...Shutdown after only 20 Hours
German companies believe they are inadequately prepared for hybrid threats. According to a Bitkom survey, they would only be able to continue working for an average of 20 hours in the event of an internet outage. 83% of respondents expect a serious...
read more...followed up! - with Lars Jaeger, Moxa
Structured Implementation of CRA Requirements
Companies must meet CRA requirements in a transparent and verifiable way. Lars Jaeger from Moxa explains how compliance, documentation, and conformity assessment can be implemented pragmatically.
read more...44% more Attacks via Public Applications
The 'X-Force Threat Intelligence Index 2026' from IBM shows a significant increase in AI-supported cyber attacks. In 2025, 40% of the incidents observed worldwide began with the exploitation of vulnerabilities. Europe was the third most common...
read more...Global Incident Response Report 2026
AI accelerates Cyber Attacks
The "Global Incident Response Report 2026" by the Unit 42 team at Palo Alto Networks analyzes over 750 serious security incidents in more than 50 countries. The evaluation shows faster, more complex attacks, increasing use of AI and growing risks in...
read more...Three new OT Attacker Groups identified
The new OT/ICS report from Dragos documents a growing number of specialized attacker groups and a significant increase in ransomware activity in industrial environments. Three new OT groups have been identified.
read more...16 % more Cyber Attacks in Germany in January
As Check Point's Monthly Cyber Threat Report shows, there were 16 percent more cyber attacks in Germany in January. In Europe, the volume of attacks rose by 18 percent to 1755 weekly attacks per company. In Austria, they rose by 14 percent to 1676,...
read more...