Ransomware gangs pose as IT support in Microsoft Teams phishing attacks

Researchers at Sophos observed multiple campaigns using email-bombing and Microsoft Teams vishing to trick employees into granting remote control, enabling attackers to deploy backdoors and side-loaded malicious DLLs (examples: MailQueue-Handler.jar, nethost.dll, winhttp.dll) for credential theft, network reconnaissance, and attempted Black Basta ransomware deployment; two clusters tracked as STAC5143 and STAC5777 were documented and a possible but low-confidence link to FIN7 was noted, with recommendations to block external Teams calls and disable Quick Assist on critical systems.