{ "id": "6093c20d-af39-4b18-945b-700fe2ec5f46", "created_at": "2026-04-06T00:10:56.688581Z", "updated_at": "2026-04-10T13:11:22.935744Z", "deleted_at": null, "sha1_hash": "112187b03b33e6e8e537b80e95b66b1f0262ed25", "title": "Ongoing Email Bombing Campaigns leading to Remote Access and Post-Exploitation", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 330628, "plain_text": "Ongoing Email Bombing Campaigns leading to Remote Access and\r\nPost-Exploitation\r\nArchived: 2026-04-05 16:20:27 UTC\r\nThe Threat\r\nIn recent weeks, eSentire has observed multiple Email Bombing attacks, which involve threat actors using phishing\r\ntechniques to gain remote access to a host in order to install malware. Email Bombing attacks comprise of users\r\nreceiving large amounts of spam emails in a short period of time, resulting in overwhelming the user's inbox and a\r\ndegradation of services. This is followed by a Microsoft Teams message from a threat actor claiming to be part of\r\nthe organization's IT support team, requesting a remote session to help resolve the issue. These attacks have been\r\nlinked to threat groups involved in ransomware campaigns. eSentire Threat Intelligence assess with high\r\nconfidence that Email Bombing will continue to be an effective initial access technique.\r\nDue to ongoing abuse, it is recommended that organizations restrict access to external Microsoft tenants unless\r\nrequired for legitimate business purposes. Additionally, following the principle of least privilege can help limit the\r\npotential impact of a security breach.\r\nWhat we're doing about it\r\nIP addresses associated with real-world attacks are blocked via the eSentire Global Block List and additional\r\nindicators of compromise have been added to the Threat Intelligence Feed\r\neSentire's Threat Response Unit is performing threat hunts for known Indicators of Compromise across\r\ncustomer environments\r\neSentire MDR for Log has detections in place to identify Microsoft Teams messages originating from\r\nexternal accounts from high-risk sources\r\neSentire MDR for Endpoint has detections in place to identify domain reconnaissance, application control\r\nbypass attempts, as well as for malware and ransomware being deployed on an endpoint\r\nThe eSentire Threat Intelligence team is actively tracking this topic for additional details and detection\r\nopportunities\r\nWhat you should do about it\r\nMicrosoft Teams messages and calls from external organizations should be restricted unless necessary\r\nIf required, restrictions should be placed to only allow messages and calls from trusted business\r\npartners\r\nRemote Access tools should be restricted via policy, unless required for normal operations\r\nConfigure anti-spam policies within Exchange Online to block malicious emails\r\nUser Awareness Training should be conducted to make users aware of these types of attacks\r\nGrant remote access only to verified Tech Support teams\r\nhttps://www.esentire.com/security-advisories/ongoing-email-bombing-campaigns-leading-to-remote-access-and-post-exploitation\r\nPage 1 of 6\n\nLogin credentials must be kept secure, and access should not be provided to anyone claiming\r\nurgency without proper verification\r\nEnsure users are aware of the process to report potential security incidents\r\nAdditional Information\r\nThe Email Bombing attack chain involves a user receiving high amounts of spam emails within a short period of\r\ntime, in an attempt to overwhelm the user. This is then followed by a Microsoft Teams messages originating from\r\nthreat actor-controlled Microsoft Office 365 service tenants, posing as tech support from the users' organization.\r\nThis is possible through configuration settings within Microsoft Teams allowing for users on external domains the\r\nability to initiate chats or meetings with internal users.\r\nThe threat actors will initiate a request for a call with the victim to help remediate the ongoing email spam issue.\r\nWhile on the call, the threat actor will utilize Microsoft remote control tools such as Quick Assist or Teams screen\r\nsharing to take control of the target’s machine. During this session, the threat actor will download further malicious\r\npayloads onto the host to gain persistence, perform reconnaissance, gather credentials, exfiltrate data, and drop\r\nmalware or ransomware. Sophos has attributed related activity to the ransomware-related threat clusters STAC5143\r\nand STAC5777, which have also been documented in public reports as key threat actors in recent cyber threats.\r\nIn one instance, eSentire observed a threat actor downloading the following files via the Microsoft Edge web\r\nbrowser (kb052117-01.bpx and kb052123-02.bpx) once the threat actor gained access to the host via a Quick Assist\r\nsession. The files were downloaded from the domain ‘hxxps[://]filters6[.]s3[.]us-east-2[.]amazonaws[.]com/gtjs.html?t=drivers’, and were combined to create the file ‘pack.zip’.\r\nScripted commands were run, performing various actions with the Zip file, and maintaining a guise of installing\r\nemail filters for the user to cover their tracks.\r\nThis file was extracted using tar[.]exe, and created the ‘%TEMP%\\arch1271.cab’ file, where it was copied to the\r\n‘%LOCALAPPDATA%\\Microsoft\\ODBC’ directory. The ‘arch1271.cab’ file contained the malicious ‘wscapi.dll'\r\nwhich was executed via the ‘odbcconf.exe’ process.\r\nSimilar actions were performed within the ‘%LOCALAPPDATA%\\Microsoft\\OneDrive’ directory, which resulted in\r\na legitimate ‘OneDriveStandaloneUpdater.exe’ process being created in the directory as well. After various steps,\r\nthe script would print ‘Filters installed successfully!’ to cover the threat actor's activity.\r\nhttps://www.esentire.com/security-advisories/ongoing-email-bombing-campaigns-leading-to-remote-access-and-post-exploitation\r\nPage 2 of 6\n\nA Registry key was also added under ‘HKCU\\SOFTWARE\\TitanPlus’, containing C2 IPs\r\n(45[.]8[.]157[.]199:443;5[.]181[.]3[.]164:443;38[.]180[.]25[.]3:443). The final actions of the script were to delete\r\nthe kb052117-01.bpx, kb052117-02.bpx, and pack.zip files. This activity was detected via MDR for Endpoint,\r\nwhere the SOC alerted and isolated the host involved.\r\nIn other instances of this attack, eSentire has observed PowerShell being used to download additional payloads and\r\nestablish persistence, once a threat actor has gained remote access to a host. Specifically, the threat actor\r\ndownloaded TeamViewer for persistence, deployed XenArmor password recovery tool to steal the victim's\r\ncredentials and leveraged a .NET DLL payload to establish Command-and-Control (C2) connections, load\r\nSharpShares in memory to discover network shares, and use Nltest for Domain Controller enumeration.\r\nIndicators of Compromise (IOCs)\r\n38[.]180[.]25[.]3 C2 IP (STAC5777)\r\n45[.]8[.]157[.]199 C2 IP (STAC5777)\r\n5[.]181[.]3[.]164 C2 IP (STAC5777)\r\n67[.]43[.]234[.]113 C2 IP\r\n0041E492A07AAC0B64AD907D44E6242BCA8A2193D492B8DD44EFC14170391E0F xem.7z Hash\r\n26B16D28C42F3853D9AA571BD864E419B56B30A54BB5A8E596F70B2D227386402\r\nRefreshSystem.txt\r\nHash\r\nhttps://www.esentire.com/security-advisories/ongoing-email-bombing-campaigns-leading-to-remote-access-and-post-exploitation\r\nPage 3 of 6\n\n2B3D230A76368B7B940BD069DD63C8FCD16E4DBFC888B127427062EE39BDD3CA\r\nMalicious DLL that\r\nwas dropped by the\r\nPowerShell dropper\r\n4F77EA80FF9ACA5752A6CF01A0C0FF070563E286659AB86F43EAC889341B0E13\r\nXenAllPasswordPro\r\nHash\r\n2010A4701A0819B61579F916149AE0A5FE3D37D6939B3F66102717C925289B9C\r\nMalicious\r\nTeamViewer used\r\nby TA to establish\r\npersistence\r\n73F3ED20F03168D25E658B0603E533CDB566B402\r\nMalicious\r\nTeamViewer used\r\nby TA to establish\r\npersistence\r\nhxxps[://]filters6[.]s3[.]us-east-2[.]amazonaws[.]com/gtjs.html?t=drivers\r\nFirst Stage Payload\r\ndownloader\r\nhxxps[://]filters6[.]s3[.]us-east-2[.]amazonaws[.]com/js/kb052117-01[.]bpx\r\nMalware payload\r\nhosting\r\nhxxps[://]filters6[.]s3[.]us-east-2[.]amazonaws[.]com/js/kb052123-02[.]bpx\r\nMalware payload\r\nhosting\r\nhxxps[://]filters6[.]s3[.]us-east-2[.]amazonaws[.]com/gtjs[.]html?t=drivers\r\nMalware payload\r\nhosting\r\nhxxps[://]onedrive[.]live[.]com/download?\r\nresid=886E7DEE31E60678!116\u0026authkey=!AFpMOei32rZTc4M\r\nMalicious\r\nTeamViewer\r\ndownload for\r\npersistence\r\nhttps://www.esentire.com/security-advisories/ongoing-email-bombing-campaigns-leading-to-remote-access-and-post-exploitation\r\nPage 4 of 6\n\nhxxps[://]drive[.]usercontent[.]google[.]com/u/0/uc?id=1xXbgBiLuM_D-Ak-J7bgRJefFvlfGY-fx\r\nMalicious\r\nPowerShell dropper\r\ndownload\r\nhxxps[://]drive[.]usercontent[.]google[.]com/u/0/uc?\r\nid=1IdT91pPHyRsDSQMyM7qXFlbVHG0F3a3r\r\nMalicious\r\nPowerShell script\r\ndownload -\u003e\r\nRefreshSystem.txt\r\nhxxps[://]hatua[.]tech/mspsek/x\r\nPossible download\r\nof\r\nXenAllPasswordPro\r\nand 7-ZIP used for\r\ncredential theft\r\nhxxps[://]hatua[.]tech/mspsek/7\r\nPossible download\r\nof\r\nXenAllPasswordPro\r\nand 7-ZIP used for\r\ncredential theft\r\nhatua[.]tech\r\nPossible download\r\nof\r\nXenAllPasswordPro\r\nand 7-ZIP used for\r\ncredential theft\r\nhxxps[://]ensol[.]co/wp-content/themes/twen/a[.]zip\r\nPossible malicious\r\nTeamViewer\r\ndownload\r\nensol[.]co\r\nPossible malicious\r\nTeamViewer\r\ndownload\r\nReferences:\r\nhttps://www.esentire.com/security-advisories/ongoing-email-bombing-campaigns-leading-to-remote-access-and-post-exploitation\r\nPage 5 of 6\n\n[1] https://csrc.nist.gov/glossary/term/least_privilege\r\n[2] https://www.esentire.com/what-we-do/threat-response-unit/threat-intelligence-services\r\n[3] https://learn.microsoft.com/en-us/microsoftteams/trusted-organizations-external-meetings-chat?\r\ntabs=organization-settings\r\n[4] https://learn.microsoft.com/en-us/defender-cloud-apps/governance-discovery\r\n[5] https://learn.microsoft.com/en-us/defender-office-365/anti-spam-policies-configure\r\n[6] https://news.sophos.com/en-us/2025/01/21/sophos-mdr-tracks-two-ransomware-campaigns-using-email-bombing-microsoft-teams-vishing/\r\n[7] https://github.com/sophoslabs/IoCs/blob/master/MAILBOMB-TEAMS-RANSOMWARE.csv\r\nSource: https://www.esentire.com/security-advisories/ongoing-email-bombing-campaigns-leading-to-remote-access-and-post-exploitation\r\nhttps://www.esentire.com/security-advisories/ongoing-email-bombing-campaigns-leading-to-remote-access-and-post-exploitation\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "origins": [ "web" ], "references": [ "https://www.esentire.com/security-advisories/ongoing-email-bombing-campaigns-leading-to-remote-access-and-post-exploitation" ], "report_names": [ "ongoing-email-bombing-campaigns-leading-to-remote-access-and-post-exploitation" ], "threat_actors": [ { "id": "908cf62e-45cd-492b-bf12-d0902e12fece", "created_at": "2024-08-20T02:00:04.543947Z", "updated_at": "2026-04-10T02:00:03.68848Z", "deleted_at": null, "main_name": "UNC4393", "aliases": [ "Storm-1811", "CURLY SPIDER", "STAC5777" ], "source_name": "MISPGALAXY:UNC4393", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6ed6a54a-1e8f-45f7-997a-4424eb2bcac8", "created_at": "2025-03-04T02:00:03.001987Z", "updated_at": "2026-04-10T02:00:03.815321Z", "deleted_at": null, "main_name": "STAC5143", "aliases": [], "source_name": "MISPGALAXY:STAC5143", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434256, "ts_updated_at": 1775826682, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/112187b03b33e6e8e537b80e95b66b1f0262ed25.pdf", "text": "https://archive.orkl.eu/112187b03b33e6e8e537b80e95b66b1f0262ed25.txt", "img": "https://archive.orkl.eu/112187b03b33e6e8e537b80e95b66b1f0262ed25.jpg" } }