The PacketWatch Intelligence Team
This week we briefed our clients on protecting their organizations from Email Bombs and Teams Scams advanced social engineering tactics.
KEY TAKEAWAYS
- More ransomware campaigns are leveraging email bombing and fake IT support tactics. Learn how to protect your organization.
- Critical vulnerabilities in Windows, FortiOS and FortiProxy, SAP, SonicWall, Rsync, QNAP, and 7-Zip . Patch now!
Email Bombs & Teams Scams Lead to Ransomware
In May 2024, Microsoft detailed a campaign for a group they track as Storm-1811, which used advanced social engineering tactics to eventually deploy Black Basta ransomware. Last week, researchers at Sophos published details of two new campaigns, tracked as STAC5143 and STAC5777, leveraging similar tactics.
The attack begins with email bombing, where high volumes of spam emails (up to 3,000 an hour) flood Outlook email boxes of the target organization. Next, the threat actor will begin sending Teams messages and make Teams voice and video calls to the target, pretending to be IT or tech support for the target organization. Finally, they will convince the target users to hand over remote access to their workstation, typically through Microsoft Quick Assist or Teams built-in remote control. The end goal for both campaigns is ransomware and data theft extortion.
How to Protect Your Organization
While these campaigns tend to be more advanced than typical ransomware intrusions, there are several detection and prevention opportunities organizations can take:
- User awareness and training - Educate staff about this type of attack. The email bomb, followed by quick communication from IT support via Teams, is a very specific set of conditions that should be treated with suspicion and caution.
- Restrict Teams calls from outside organizations, or only allow external Teams calls to trusted partners. Documentation for implementing these restrictions can be found here.
- Application Control - Remote access applications should be heavily monitored and restricted. Organizations should only allow one remote access tool, and only on hosts where it is necessary for business functions. All other remote access tools should be restricted. If the tool is not needed, Quick Assist should be restricted by GPO. Additionally, STAC5143 is documented to leverage ProtonVPN during their attacks. ProtonVPN, as well as any other non-authorized VPN applications, should be restricted in the environment.
- Fully up-to-date EDR should be deployed to every workstation and endpoint. This will help detect and prevent any malicious payloads downloaded by the threat actor.
- Network monitoring tools such as PacketWatch can identify command and control (C2) traffic as well as potential data exfiltration.
Resources:
-
https://news.sophos.com/en-us/2025/01/21/sophos-mdr-tracks-two-ransomware-campaigns-using-email-bombing-microsoft-teams-vishing/
-
https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/
-
https://securityaffairs.com/173328/cyber-crime/ransomware-groups-abuse-microsofts-office-365-platform.html
-
https://learn.microsoft.com/en-us/microsoftteams/trusted-organizations-external-meetings-chat?tabs=organization-settings
Vulnerability Roundup
0-Click RCE in Windows
As part of Microsoft's January Patch Tuesday, Microsoft released a fix for CVE-2024-21298, a critical use-after-free vulnerability in Windows OLE. Object Linking and Embedding (OLE) is a Microsoft technology that allows embedding and linking to documents and other objects. To exploit this vulnerability, a threat actor simply needs to send the victim a specially crafted RTF file (typically in an email). The victim needs to only preview the file, not even click or open it, in order for the exploit to work. Proof-of-concept code is already in the wild. The vulnerability affects Windows Servers and Windows 10 & 11. Administrators are urged to apply the latest Microsoft updates as soon as possible.
-
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21298
-
https://www.vulnu.com/p/zero-click-ole-rce-cve-2025-21298-microsoft-outlook-impacted
Authentication Bypass 0-day in FortiOS and FortiProxy
Fortinet recently published a security advisory detailing CVE-2024-55591, a critical authentication bypass vulnerability affecting FortiOS and FortiProxy. The following versions are affected:
- FortiOS 7.0.0 through 7.0.16 (Upgrade to 7.0.17 or above)
- FortiProxy 7.2.0 through 7.2.12 (Upgrade to 7.2.13 or above)
- FortiProxy 7.0.0 through 7.0.19 (Upgrade to 7.0.20 or above)
The advisory states this flaw has been under active exploitation. Threat actors have been observed creating admin and Local user accounts with random usernames and adding the local user to an existing sslvpn user group. They have also been observed modifying firewall settings and leveraging the sslvpn access as a way to tunnel into the internal network. Administrators are urged to patch as soon as possible. Additional workarounds include disabling the HTTP/HTTPS administrative interface or limit the IP addresses that can reach the administrative interface. Details for how to implement these restrictions can be found in the Fortinet advisory here.
PacketWatch hunt for known IOCs:
\*.ip:(45.55.158.47 OR 87.249.138.47 OR 37.19.196.65 OR 149.22.94.37)
-
https://www.rapid7.com/blog/post/2025/01/16/etr-fortinet-firewalls-hit-with-new-zero-day-attack-older-data-leak/
-
https://thehackernews.com/2025/01/zero-day-vulnerability-suspected-in.html
Critical and High-Severity Vulnerabilities in SAP
SAP recently released a security update fixing 14 vulnerabilities across their products. Included in this release are fixes for 2 critical vulnerabilities in SAP's NetWeaver web application. These vulnerabilities, CVE-2025-0070 and CVE-2025-0066, allow for privilege escalation and sensitive information disclosure. A full listing of the vulnerabilities can be found here. SAP strongly recommends customers visit the Support Portal and apply appropriate patches as soon as possible.
SonicWall SMA1000 AMC & CMC Critical 0-day
A new 0-day vulnerability has been disclosed by SonicWall for their SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC). Tracked as CVE-2025-23006, successful exploitation of this vulnerability allows remote unauthenticated threat actors to execute arbitrary OS commands. Affected products include version 12.4.3-02804 (platform-hotfix) and earlier. The security advisory also notes that SonicWall Firewall and SMA 100 series products are not affected by this issue. Administrators are urged to apply patches immediately, as this vulnerability is currently being exploited in the wild. Additional workarounds include restricting access for AMC and CMC to only trusted sources.
-
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0002
-
https://www.bleepingcomputer.com/news/security/sonicwall-warns-of-sma1000-rce-flaw-exploited-in-zero-day-attacks/
Multiple Vulnerabilities Discovered in Rsync
A set of six vulnerabilities were recently disclosed or Rsync, an open-source file synchronization and data transfer tool. This tool is widely used in backup software, such as Rclone, DeltaCopy, ChronoSync, and even QNAP (see below). Affected versions of Rsync are versions 3.3.0 and below. Per the CERT advisory, when CVE-2024-12084 (heap buffer overflow) and CVE-2024-12085 (information leak) vulnerabilities are combined, they can lead to arbitrary code execution. The only prerequisite to successfully exploit these vulnerabilities is the attacker needs anonymous read-access to the Rsync server, such as a public mirror. The advisory also states that successful exploitation can lead to a full takeover of the server. Sensitive data such as SSH keys can be extracted, and further malicious code can be executed. The CERT page is currently tracking known versions of Linux that contain vulnerable versions of Rsync.
QNAP Fixes Rsync Vulnerabilities
The six Rsync vulnerabilities noted above affect QNAP HBS 3 Hybrid Backup Sync 25.1.x systems. This is QNAP's data backup and disaster recover solution. QNAP is urging administrators to patch to HBS 3 Hybrid Backup sync 25.1.4.952 or higher to address these vulnerabilities.
7-Zip Mark of the Web Bypass
A vulnerability tracked as CVE-2024-0411 allows threat actors to bypass Mark-of-the-Web protections in 7-Zip. Mark-of-the-Web is a security measure in Windows that alerts users with a prompt indicating the file has been downloaded and may come from an untrusted source, and should be treated with caution. When a threat actor abuses this vulnerability, if they can entice the user to open the malicious file (common with phishing attacks), the user will not receive this security warning, and the likelihood of the user executing the malicious payload increases. Proof-of-concept exploits are in the wild. This vulnerability is patched in 7-Zip version 24.09. However, 7-Zip does not have an auto-update function, and the new version must be manually downloaded from the official 7-zip site.
- https://www.zerodayinitiative.com/advisories/ZDI-25-045/
- https://7-zip.org/download.html
- https://github.com/dhmosfunk/7-Zip-CVE-2025-0411-POC
This report is provided FREE to the cybersecurity community.
Visit our Cyber Threat Intelligence Blog for additional reports.
Subscribe to be notified of future Reports:
NOTE
We have enhanced our report with data from SOCRadar. You may need to register to view their threat intelligence content.
DISCLAIMER
Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.