Sophos Managed Detection and Response (MDR), reporting over 15 incidents involving these tactics in the past three months, with half of these recorded in just the past two weeks.

The cybercriminals are using a similar set of tactics to infiltrate companies' networks.

They start by targeting specific employees at companies using Microsoft Teams, quickly bombarding them with thousands of spam emails. In one reported case, over 3,000 spam emails were sent within less than an hour.

Following this, the attackers use voice and video calls via Microsoft Teams, offering to help resolve the spam issue. By using Quick Assist or Microsoft Teams screen sharing, they take control of the targeted employee's computer and deploy ransomware.

One group of threat actors has been linked to the notorious Russian cybercriminal organisation Fin7, while the other shares ties with the Russian threat group Storm-1811. Sophos is publishing this research to help organisations defend against these active campaigns and to raise awareness of their growing impact.

Sophos principal threat researcher Sean Gallagher said that while exploitation of remote management tools and abuse of legitimate services are not wholly new, Sophos saw more threat groups adopt these tactics to target companies of all sizes.

“Microsoft Teams’ default configuration allows individuals outside an organisation to chat with or call internal staff at a company, and attackers abuse this feature. Since many companies use managed service providers for their IT support, receiving a Teams call from an unknown person labelled as ‘Help Desk Manager’ may not ring alarm bells, especially if it’s combined with an overwhelming amount of spam email,” he said.

Sophos advises companies using Microsoft 365 to be on high alert. Gallagher said they should check company-wide configurations, block outside account messages if possible, and block remote access and machine management tools not regularly used by their organisations.