| Over the last year, cybersecurity researchers and analysts reported that ransomware groups have adopted a tactic of impersonating IT support and using email bombing to convince users to provide the threat actors with access to the targeted organization’s network. In a recent incident reported by Sophos, the 3AM ransomware group spoofed a targeted organization’s official IT department phone number to call one of the organization’s users. Just before the call, the threat actors initiated email bombing, sending the user 24 unsolicited emails in just a few minutes. When the threat actors called the user using the spoofed number, they referenced the email bombing and convinced them to open Microsoft Quick Assist and grant remote access. In this incident, the threat actors were able to steal over 800GB of data, though many additional actions were mainly blocked due to the company’s strict multi-factor authentication (MFA) policies and security software. However, in other incidents, once remote access is obtained, the threat actors could install malware, steal data, move laterally, elevate privileges, and encrypt data in a ransomware attack. |