Email Bombing Followed by Teams IT Impersonation Attacks Continue

BlueVoyant’s Threat Fusion Cell and SOC have been tracking a significant and persistent social engineering campaign that cleverly exploits trusted communication channels to gain initial access to target networks. Since at least mid-October 2025, BlueVoyant has observed a consistent playbook where threat actors employ inbox sabotage as a pretext for highly convincing IT support impersonation over Microsoft Teams. This attack chain, initially highlighted by Microsoft in May 2024, has proved successful and remains a significant risk as targeting continues to focus on senior leadership and specialized roles within a range of sectors: financial, legal, professional services, and manufacturing. This analysis details the technical mechanics of these recent attacks and provides actionable guidance for defense.

A Two-Stage Attack Chain

The campaign operates on a streamlined, two-stage process designed to maximize confusion and leverage human trust. The first stage involves a tactical denial-of-service attack against the victim’s email inbox. Actors use automated scripts to subscribe the target to a massive volume of legitimate mailing lists and services, triggering a flood of automated confirmation emails. These emails—consisting of confirmation requests for religious or other organizational newsletters, notifications for niche hobbyist or event registrations, or just generic subscription confirmation messages—are benign by nature, allowing them to easily slip past traditional email security filters. This bombardment is strategically timed for the victim’s local business hours, creating a state of disruption and anxiety that primes them for the next phase of the attack. 

Following the email bomb, the threat actor immediately initiates the second stage. Posing as organizational IT support using the display name “HELP DESK” or “IT SUPPORT,” the attacker makes contact through a Microsoft Teams message or call. Critically, the contacting account is a malicious actor-controlled account created on a fraudulent Microsoft 365 tenant, with observed User Principal Names (UPNs) including domains like zypeong2[.]onmicrosoft[.]com and service-desk[.]digital. In several cases, these accounts originated from the IP 139[.]28[.]219[.]30, associated with M247 LTD VPN and hosting provider. The social engineering hook is precisely tailored—the actor references the ongoing email deluge, presenting themselves as a support technician tasked with resolving the very issue they created. 

The ultimate objective of this communication is to establish remote access. The primary method observed is the abuse of legitimate remote access tools. The actors heavily target Microsoft QuickAssist due to its trustworthiness as a pre-installed Windows application, but also attempt to coax users into downloading third-party RMM software like AnyDesk. In successful compromises, this remote access led to evidence of command execution and suspicious process creation. In one of the notable cases BlueVoyant encountered, PowerShell was invoked to download of a QEMU virtual machine and a potential Go-based backdoor, indicating serious post-compromise payload staging. As recently as May 2025, Sophos researchers documented how this same attack chain was employed and also incorporated the deployment of a QEMU virtual machine to deliver 3AM ransomware. 

Targeting and Victimology 

BlueVoyant’s Threat Fusion Cell (TFC) explored the campaign targeting in depth to find it is buttressed by a deliberate and clear reconnaissance effort. The threat actors are not spraying attacks blindly but are systematically identifying high-value individuals whose compromise would offer significant leverage or access. The victimology indicates targeting across a range of sensitive sectors, including Public Accounting, Private Equity, Legal Services, and Pharmaceutical Services. 

The victim selection in this campaign is a study in deliberate and strategic targeting, reflecting sophisticated reconnaissance that extends far beyond mere credential theft. Threat actors are not casting a wide net for random low-level employees. The targeted roles are exclusively non-technical, white-collar professionals who wield significant business influence but are less likely to possess the technical acumen to recognize the attack. Moreover, a meticulous review of the compromised positions reveals a clear pattern: the attackers are systematically avoiding IT staff. 

The targeting focus is consistently on users with titles in the C-level suite, senior management, finance and accounting roles, legal professionals and specialized business lines. These individuals are targeted precisely because they sit at the nexus of critical business functions, possessing the authority to authorize financial transactions, access troves of sensitive client data, manage intellectual property, or control critical business systems. The compromise of one of these professionals provides a threat actor with a high-value gateway into the most sensitive areas of a corporate network. Furthermore, by deliberately circumventing the IT department, the attackers significantly reduce their risk of detection during the initial social engineering phase. An IT professional would immediately recognize the fraudulent nature of a "helpdesk" request from an external [.]onmicrosoft[.]com domain and would be familiar with official internal support procedures. 

The campaign also demonstrates a flexible and alarming approach to scale. In some instances, the attack is a surgical strike focused on a single high-value individual, such as a Chief Growth Executive or a Senior HR leader. The entire email bomb and subsequent social engineering effort are concentrated on this one person, aiming to establish a deep and persistent foothold with maximum privileges from a single compromise. However, a more aggressive pattern has also been observed, where threat actors launch a broad, multi-person assault within a single organization. In these cases, as seen in the manufacturing and pharmaceutical sectors, dozens of employees were targeted nearly simultaneously—with one incident involving fraudulent Teams messages sent to 19 users in a short timeframe.  

This "spray and pray" tactic within a single company serves to create widespread confusion, overwhelm the SOC’s response capacity, and statistically increase the odds that at least one employee will succumb to the impersonation attempt. The compromise of even a single mid-level account in such an assault can provide the crucial beachhead needed for lateral movement, making the scale of these multi-user attacks a significant and escalating threat. 

The TFC conducted a historical review of threat activity and found another possible connection between this current campaign and the threat group UTG0154, which was last reported in March 2025. This assessment is based on shared tactics, including the abuse of Microsoft Teams for IT support impersonation and the use of QuickAssist for initial remote access. However, a definitive link cannot be established at this time. The current activity is notably lacking the unique TypeLib COM hijacking persistence technique, which was a key characteristic of UTG0154's operations. Furthermore, some of the TTPs observed in this campaign have been publicly documented and adopted by other threat actors, reducing their value as a unique identifier. As such, the TFC assesses only a low potential for a link to UTG0154 activity cluster. 

Defensive Recommendations 

Mitigating this threat requires a defense-in-depth strategy that blends technical controls, enhanced monitoring, and user awareness. The most critical technical action is to harden the Microsoft Teams environment by configuring messaging policies to prohibit or severely restrict communication with external accounts, which severs the primary attack vector. This should be complemented by application control policies designed to block the execution of unauthorized RMM tools, with special scrutiny placed on the execution of QuickAssist.exe by non-IT staff.  

Enhanced monitoring is also essential. Security teams should create alerts surrounding such activity. BlueVoyant's Threat Fusion Cell Content Engineering (TFC CE) team developed and deployed multiple detection capabilities to identify and alert on the various stages of this attack chain to protect clients: 

1. Email Bombardment Detection (BV-11621) 

The TFC CE created advanced analytics to identify abnormal spikes in email volume targeting specific users, with special focus on legitimate subscription confirmation emails that bypass traditional security filters. This detection specifically looks for the email bombing technique used as the initial disruptive phase. 

2. External Microsoft Teams Communication Monitoring (BV-21097) 

BlueVoyant detection capabilities include monitoring for unsolicited messages from external Microsoft Teams users, particularly those with display names suggesting IT support functions. The detection specifically analyzes communication attempts from suspicious domains like those using [.]onmicrosoft[.]com and identifies patterns matching impersonation attempts. 

3. Remote Management Tool Usage Detection (BV-11620) 

The TFC CE further implemented comprehensive detection for unauthorized use of remote access tools, including: 

• Microsoft Quick Assist activation and connection attempts
• Third-party RMM software downloads and executions (AnyDesk and others)
• Unusual execution of these tools outside established support patterns 

Finally, immediate and targeted user awareness training is paramount. Training must emphasize that the IT helpdesk will never initiate unsolicited contact via Teams and must mandate that users verify any unexpected IT contact through a secondary, pre-established channel like a known helpdesk phone number. This campaign underscores that the human layer is both the primary target and the most critical layer of defense. 

Conclusion 

This campaign represents the continuation of a mature and highly effective social engineering attack, incorporating a multi-stage process that meticulously manufactures a pretext for intrusion. By exploiting the inherent trust that users place in Microsoft Teams and abusing legitimate remote access tools, threat actors are leveraging a proven playbook that consistently bypasses basic technical defenses. The deliberate, reconnaissance-driven targeting of high-value, non-technical roles across critical sectors underscores the significant motives at play. 

The defensive recommendations provided are not merely suggestions but essential countermeasures. BlueVoyant's SOC has developed and deployed advanced detection rules to identify the tell-tale patterns of this attack chain, from anomalous mail flow and suspicious external tenant communication to the execution of remote access tools. However, technology alone is insufficient. Ultimate resilience against this threat hinges on a collaborative defense: robust technical controls to shrink the attack surface, vigilant monitoring to detect the activity, and—most critically—a well-trained, security-conscious workforce that serves as the final and most reliable layer of defense. Organizations must act with urgency to implement these measures, as this campaign shows no signs of abating and continues to pose a clear and present danger to enterprises globally. Vigilance and user education are the keys to breaking the chain of compromise.  

MITRE ATT&CK TECHNIQUES

T1667 – Email Bombing 

T1589.001 – Gather Victim Identity Information 

T1566 – Phishing 

T1566.001 – Spearphishing Attachment 

T1498 – Network Denial of Service  

T1036 – Masquerading  

T1656 – Impersonation  

T1204 – User Execution 

T1204.002 – User Execution: Malicious File 

T1059 – Command and Scripting Interpreter 

T1219 – Remote Access Software