Cybersecurity experts from Sophos have identified two threat actor groups carrying out email bombing attacks on multiple organizations in the western region. These attackers aim to steal sensitive data and deploy ransomware. Over the past three months, at least 15 organizations have been targeted, with a surge in attacks observed in the last two weeks.

Email bombing involves bombarding victims with a high volume of emails in a short period before posing as IT administrators to deceive them. The attackers then contact victims through platforms like Microsoft Teams, offering assistance to resolve issues. If the victim falls for the ruse and grants access to remote tools, the attackers proceed to deploy ransomware.

While Sophos X-Ops hasn’t definitively attributed the attacks to specific groups, they have identified potential connections between one group and the Russian hacking collective Fin7. The second group appears to have ties to Storm-1811, known for leveraging sophisticated social engineering tactics to distribute ransomware.

Principal threat researcher Sean Gallagher emphasized the vulnerability posed by default configurations in platforms like Teams, enabling external parties to communicate with internal staff easily. He advises organizations to review their settings, restrict external communications, and block remote access tools to mitigate the risk of falling victim to such cyberattacks. Stay vigilant and ensure robust security measures when using Microsoft 365.