Russian ransomware hackers increasingly posing as tech support on Microsoft Teams

Cybersecurity authorities and major technology firms reported a significant surge in cyberattacks orchestrated by Russian-speaking ransomware groups exploiting Microsoft Teams to impersonate technical support staff. These threat actors have adopted increasingly sophisticated social engineering tactics, targeting employees of organizations through fake support messages delivered via Microsoft Teams, a platform widely used for internal business communication.
According to intelligence shared by Microsoft and corroborated by several independent cybersecurity firms, attackers initiate contact with victims by sending deceptive messages that appear to be from legitimate IT personnel. These messages often include urgent language indicating the need to resolve a security issue, reset a password, or validate system credentials. Once trust is established, the hackers trick victims into downloading malware-laced tools or disclosing their login credentials. These actions provide the attackers with remote access to internal systems, which they later exploit to deploy ransomware or steal sensitive data.
The actors behind these campaigns are believed to be affiliated with or sponsored by state-aligned Russian ransomware syndicates. These groups are known for their adaptive methods and ability to exploit enterprise collaboration tools, taking advantage of employees’ familiarity with such platforms. Security analysts noted that the attackers sometimes use previously compromised Microsoft 365 accounts or spoofed domains to initiate contact within the same organization, making the deception more credible.
Microsoft has responded by strengthening detection mechanisms within Teams, issuing advisories to enterprise customers, and encouraging the adoption of multi-factor authentication (MFA) and conditional access policies. Cybersecurity experts are urging organizations to conduct regular employee awareness training, emphasizing how to verify internal communication channels and report suspicious messages.
This new wave of impersonation-based intrusions represents a dangerous evolution in ransomware delivery tactics. It highlights the growing need for businesses to reassess their internal security policies and adopt a zero-trust architecture to defend against socially engineered threats delivered through everyday collaboration platforms.