Cybercriminals are getting sneaky. Instead of breaking in, they’re tricking people into handing over access—and they’re using Microsoft Teams to do it.
A new wave of ransomware attacks is hitting businesses through Microsoft 365, with hackers posing as IT support on Teams. If they succeed, they can install malware, steal data, and lock businesses out of their own systems.
These attacks mainly target small and mid-sized businesses. These businesses quickly moved to the cloud and digitised, especially after COVID-19. Many of these businesses started using Microsoft 365, Teams, and Azure for the first time—often without the security knowledge to protect themselves, making them easy targets for attackers.
Here’s how these scams work—and how to stop them.
How the scam works
These attacks rely on distraction and deception rather than traditional hacking. Here’s the playbook:
Step 1: Email chaos
Hackers flood a victim’s inbox with thousands of spam emails—sometimes 3,000 in just 45 minutes. The goal? Create panic and confusion so the victim is more likely to trust the “IT support” coming to help.
Step 2: Fake IT support on Microsoft Teams
After the email flood, the attacker strikes on Teams. They pose as IT support—using names like “Help Desk Manager”—and send messages or even make calls. They sound convincing, claiming they need urgent access to “fix” the email issue.
Step 3: Remote access and malware installation
If the victim falls for it, they’re asked to share their screen or give remote access through Microsoft Teams or Quick Assist. Once the hacker is in, they install malware, steal data, and, in some cases, lock the business out of its own systems with ransomware.
Who’s behind it?
STAC5143 – A group linked to FIN7, a cybercrime gang responsible for some of the most sophisticated phishing attacks in recent years. They’ve been known to deploy ransomware like Black Basta.
STAC5777 – Another cyber gang using the same tricks to break into businesses and hold their data hostage.
How to protect your business
The good news? A few simple steps can make your business much harder to trick.
✅ Lock down Microsoft Teams – Check your settings and limit who can message or call your team from outside your business.
✅ Train your team to spot scams – Teach your team to be careful with unexpected IT requests. This is important if someone asks them to share their screen or give remote access. Read our blog: Why you business need cyber awareness training
✅ Turn on multi-factor authentication (MFA) – This extra security step helps block hackers. It works even if they get someone’s login details. How to turn on MFA
✅ Watch for red flags – Use security tools that can detect strange activity, like an IT support person logging in from an unusual location. Watch our webinar Securing your Microsoft 365 environment
Frequently asked questions
What is a phishing attack on Microsoft Teams?
A phishing attack on Teams occurs when cybercriminals pretend to be trusted contacts, like IT support. They try to trick the team into sharing sensitive information or giving access to company systems.
How can businesses secure Microsoft Teams?
Businesses can tighten security by restricting external communication, training their teams to spot phishing attempts, and using security tools to monitor for suspicious activity.
What is email bombing, and why do attackers use it?
Email bombing is when attackers flood inboxes with thousands of spam emails to create chaos. The goal? Distract the victim, making them more likely to fall for a phishing scam.
Why are ransomware gangs targeting Microsoft Teams?
Teams lets people communicate with outsiders by default. Hackers take advantage of this to pretend to be trusted contacts. They trick businesses into giving them access through deception instead of regular hacking. Small and mid-sized businesses, in particular, have become prime targets as they increasingly rely on cloud-based tools but may lack the security expertise to keep attackers out.
What should the team do if they suspect a phishing attempt?
They should report any suspicious activity to IT right away, avoid clicking on unknown links or downloading files, and verify the identity of anyone asking for remote access.
Final thoughts
Hackers know that tricking people is easier than hacking systems—and that’s why they’re using scams like this. But with the right precautions, businesses can stay ahead of the game.
Need help securing Microsoft 365?
Cloud & More helps businesses stay safe from cyber threats. Get in touch to find out how we can protect your team.
