Rapid response · 4 MIN READ · AARON WALTON · APR 25, 2025 · TAGS: in the media / Phishing
TL;DR
- Expel’s SOC has seen a spike in a specific type of pre-ransomware activity that targets Microsoft Teams users with phishing messages
- We’ve seen three customers targeted just this week, with more expected
- Turning on auto remediations can help mitigate any potential problems this attack might have if it happens to your org
The Expel threat intel team has seen a spike in a specific type of pre-ransomware activity this week, and we’re writing this up to highlight the tactics and indicators we’ve observed. The activity originates with Microsoft Teams phishing, and we believe the bad actor is a ransomware gang affiliate who works with multiple gangs. Fortunately for our customers, we didn’t see what ransomware gang these actors worked for because we stopped them too early. Based on what we know of their tactics, they previously worked with the Black Basta and Cactus ransomware groups, but no matter who they’re working for now, we know they’re up to no good.
This tactic, which targets multiple organizations, has emerged over the last year or so. Rapid7 identified this type of attack originally in March 2024. As the attack expands to new organizations and incorporates new tactics, it’s important to draw attention to these techniques again.
What we’re seeing
Our SOC observed three distinct organizations who were targeted this week. Two customers are in the retail industry and one is in real estate.
This attack is possible because Microsoft Teams allows for external organizations to send invites by default, but these phishing campaigns are abusing this setting.
Here’s how the attack works: after messaging targeted employees, the attacker tricks them into giving remote access to their device, most commonly using QuickAssist. QuickAssist is a remote access tool which is enabled on Windows by default, making it an easy way for an attacker to gain access and stay under the radar.
Once gaining access to the system, we’ve seen the attackers attempt a few different techniques. In some instances, they’ve run a script that contains comments visible to the user which pretend to be cleaning up the spam, but instead install additional remote access tools (RATs). One attacker this week attempted this, but several of the downloads were blocked by the endpoint detection and response (EDR) tool. They then ran a custom Python script, which creates a reverse proxy to connect to their infrastructure.
In subsequent attempts, the attacker instead ran PowerShell in the terminal to create an SSH reverse tunnel configured to connect back to their infrastructure. The following command was used to create the tunnel:
After setting up reverse shells or dropping other remote access tools, the attacker will reconnect to the victim’s computer using one of those methods and attempt to move throughout the attacker network.
What to do
Organizations can protect against receiving these invites by setting up an “Allow List” that will restrict unauthorized invitations, and only enable specific external orgs to connect to Teams environments. The setting should be set to restrict unauthorized invitations. While authorizing partner organizations is extra work, it protects your team against these types of attacks.
We also recommend using Group Policy to disable QuickAssist in your environment if it isn’t used by your organization.
Without Microsoft Teams
While the main attack we’ve observed this week involves abusing Microsoft Teams, we’ve observed another cybercriminal using a variation of this tactic by calling the organization over the phone.
In that instance, the cybercriminal called potential targets pretending to be a pizza delivery service to determine if the phone number and information for the user was valid. The attacker then followed up by sending spam and then calling back—this time spoofing their call to look like an internal call from the company.
Expelling the adversary
Quick response is essential when this activity occurs. Expel has developed a number of IoCs to detect this behavior, and with auto remediation in place, this sort of activity can be shut down and contained immediately.
It’s important to have a team detecting and responding to this activity when it is seen: as the attacker can go from messaging an employee to attempting to ransom the environment in under an hour.
Indicators
Network Indicators
The following are IP addresses observed in use by the attacker. During these attacks, they used a combination of resources hosted on Digital Ocean and Router Hosting infrastructure. As this attacker appears to be targeting multiple organizations in a short period of time, it’s valuable to investigate if systems are connecting to these IP addresses.
| IP address | Context |
|---|---|
|
167[.]71[.]244[.]187 |
Used to connect back to the attacker’s infrastructure during DFS coercion attempt. |
|
144[.]172[.]95[.]49 |
Used in SSH reverse shell. |
|
144[.]172[.]103[.]42 |
Command and control IP seen used by the attacker. |
| 172[.]86[.]109[.]159 | Command and control IP seen used by the attacker. |
File indicators
The following are files that the attacker deployed to maintain access to the victim’s systems.
| Filename | SHA256 hash | Context |
|---|---|---|
|
screensaver.exe |
b87899158bba5b640c3d7e36e6d7eb416667506f3ff66c8fbb81bceaab897b7f | This file was a renamed ScreenConnect installer. ScreenConnect can be used for remote access. |
|
screencut.exe |
a1a210e436a04e19c1543b9ddadf715a9dd597e86ff30efc6df8111dbfaaf690 | This file was a copy of OptiTune Agent. This tool was to be used as a remote access tool by the attacker. |
|
update.py |
8e40026be62846d89c19db72c1cbbc4ec7f73b21eadc7bb37aee4f9084ee92c4 | Custom Python script from attacker to create reverse shell using Python. |
Identifying Microsoft Teams accounts used for phishing
These are the accounts we’ve seen used by attackers from external Microsoft Teams instances, to send messages to their targets. If you encounter this activity, you won’t likely see these specific names, but these give you an idea of what domains the attackers are using. The user name or domain often imitates a support or security team member and organization.
| Account name |
|---|
|
itsupport_ext[@]faeeeton.onmicrosoft[.]com |
|
itsecuritycorporation[@]suupportserviceadmiin[.]onmicrosoft[.]com |
|
dave[@]webupdatesupport[.]onmicrosoft[.]com |
| 172[.]86[.]109[.]159 |
We’ll continue to monitor, track, and share more about this activity as we see and analyze more cyberattacks that are part of this campaign.
