This post is also available in:
עברית (Hebrew)
Sophos X-Ops, the threat research division of the British cybersecurity company Sophos, has revealed two active cyberattack campaigns targeting organizations that use Microsoft Office 365. These campaigns, linked to Russian cybercriminal groups, leverage remote management tools like Microsoft Teams and Quick Assist to infiltrate networks, steal sensitive data, and deploy ransomware.
The two threat groups, identified as STAC5143 and STAC5777, have been observed conducting highly active campaigns over the past few months. Sophos has traced links between one of the threat groups and the Russian cybercriminal group Fin7, while the other overlaps with Storm-1811, another Russian group. Both are known for their involvement in ransomware and data theft operations.
In the last three months more than 15 separate incidents have been detected, with half of them occurring in the past two weeks. The process begins with the attackers targeting a select group of employees within companies using Microsoft Teams. These individuals are bombarded with thousands of spam emails in a short period—sometimes more than 3,000 emails in less than an hour. Many employees would avoid clicking on suspicious email links, so the attackers escalate their tactics by reaching out through Microsoft Teams voice or video calls, offering assistance in resolving the email issue.
The attackers then instruct the targeted employee to grant remote access to their computer using Microsoft Teams’ screen-sharing feature or Quick Assist. Once access is granted, the attackers gain control of the machine, deploy ransomware, and exfiltrate valuable data.
According to Sean Gallagher, principal threat researcher at Sophos, this growing trend highlights the increasing abuse of remote management tools. Microsoft Teams, in particular, has become a key vulnerability due to its default settings that allow external individuals to contact internal employees. Gallagher notes that many businesses rely on managed service providers, making them more susceptible to scams involving fake “Help Desk Manager” calls.
To protect against these threats, Sophos advises companies using Microsoft Office 365 to review their security configurations, block external communications when possible, and restrict access to remote management tools to trusted personnel. Additionally, raising employee awareness about these tactics—especially those not covered in traditional anti-phishing training—is crucial to mitigating the risk.
