January 22, 2025 By Pierluigi Paganini
Two ransomware groups exploiting Microsoft 365 services and default settings to target internal enterprise users.
Sophos researchers started investigating two distinct clusters of activity, tracked as STAC5143 and STAC5777, in response to customer ransomware attacks in November and December 2024.
Threat actors used their own Microsoft 365 tenants and exploited a default Teams setting allowing external users to contact internal users for attacks.
Sophos states that the STAC5777’s TTPs overlap with the group Storm-1811 first spotted by Microsoft. STAC5143 is a new cluster mimicking the Storm-1811 playbook, potentially linked to the FIN7/Sangria Tempest/Carbon Spider threat actor.
“Sophos MDR has observed more than 15 incidents involving these tactics in the past three months, with half of them in the past two weeks.” reads the advisory published by Sophos.
