3AM Ransomware Uses Spoofed IT Calls, Email Bombing to Breach Networks
Summary:
An affiliate of the 3AM ransomware operation has been observed conducting targeted attacks that combine email bombing with spoofed IT support calls to manipulate employees into providing remote access credentials. This social engineering tactic, previously used by the Black Basta ransomware group and later adopted by FIN7, has proven so effective that it is now being employed more widely. Between November 2024 and January 2025, Sophos tracked at least 55 such incidents linked to two threat clusters that mirrored the Black Basta playbook, including the use of Microsoft Teams for phishing and abuse of Microsoft Quick Assist. However, a notable attack in early 2025 targeting a Sophos client involved a variation in which the threat actor spoofed the company’s real IT phone number to enhance credibility. During an email bombing wave that sent 24 emails in three minutes, the attacker called an employee and persuaded them to initiate a Quick Assist session.
Once access was granted, the attacker downloaded a malicious archive from a spoofed domain containing a VBS script, a QEMU emulator, and a Windows 7 image embedded with the QDoor backdoor. The use of QEMU enabled the attacker to route malicious activity through virtual machines to avoid detection. They proceeded with reconnaissance via WMIC and PowerShell, created a local administrator account for RDP access, installed the XEOXRemote RMM tool, and ultimately compromised a domain administrator account.
Security Officer Comments:
Despite Sophos’ tools successfully blocking lateral movement, deactivation attempts, and the 3AM ransomware encryptor, the attacker still managed to exfiltrate 868 GB of data to Backblaze cloud storage using the GoodSync tool. The attack lasted nine days, with data theft completed by the third day and the attacker eventually blocked from spreading further.
Suggested Corrections:
Build employee awareness
Audit administrative and service accounts
Deploy policy-driven application control for software and scripts
Implement MFA for and place strict controls on remote access
Use network filtering and network intrusion prevention to block unwanted remote access
Lock down Windows Registry editing
Link(s):
https://www.bleepingcomputer.com/ne...ed-it-calls-email-bombing-to-breach-networks/
An affiliate of the 3AM ransomware operation has been observed conducting targeted attacks that combine email bombing with spoofed IT support calls to manipulate employees into providing remote access credentials. This social engineering tactic, previously used by the Black Basta ransomware group and later adopted by FIN7, has proven so effective that it is now being employed more widely. Between November 2024 and January 2025, Sophos tracked at least 55 such incidents linked to two threat clusters that mirrored the Black Basta playbook, including the use of Microsoft Teams for phishing and abuse of Microsoft Quick Assist. However, a notable attack in early 2025 targeting a Sophos client involved a variation in which the threat actor spoofed the company’s real IT phone number to enhance credibility. During an email bombing wave that sent 24 emails in three minutes, the attacker called an employee and persuaded them to initiate a Quick Assist session.
Once access was granted, the attacker downloaded a malicious archive from a spoofed domain containing a VBS script, a QEMU emulator, and a Windows 7 image embedded with the QDoor backdoor. The use of QEMU enabled the attacker to route malicious activity through virtual machines to avoid detection. They proceeded with reconnaissance via WMIC and PowerShell, created a local administrator account for RDP access, installed the XEOXRemote RMM tool, and ultimately compromised a domain administrator account.
Security Officer Comments:
Despite Sophos’ tools successfully blocking lateral movement, deactivation attempts, and the 3AM ransomware encryptor, the attacker still managed to exfiltrate 868 GB of data to Backblaze cloud storage using the GoodSync tool. The attack lasted nine days, with data theft completed by the third day and the attacker eventually blocked from spreading further.
Suggested Corrections:
Build employee awareness
- Vishing attacks, such as this 3AM incident and other recent ransomware actor attacks, depend upon deception and leveraging of a targeted individual’s confusion and sense of urgency driven by events they don’t expect—such as an onslaught of unwanted emails suddenly disrupting their workday. Educate staff on the exact ways IT support will contact them, under what circumstances, and which tools they will use to provide remote technical support so they can recognize social engineering efforts more easily.
Audit administrative and service accounts
- Enforce complexity of passwords, limit access by policy to prevent misuse if compromised, and ensure there is no password reuse across administrative accounts. Regularly audit administrative accounts and disable local administrator accounts. Follow Microsoft’s guidelines for least-privilege administrative models. Additionally, if service accounts cannot have multifactor authentication enabled for specific technical reasons, they should be restricted to specific log-on times and have their privileges limited to only those required for their tasks.
Deploy policy-driven application control for software and scripts
- Extended detection and response (XDR) protection tools, such as those provided by Sophos allow for policy-driven blocking of legitimate executables that are unwanted within an organization’s IT estate. Identify which software tools are in legitimate use within your organization and block those which are not expected. Execution of products (including QEMU and other virtual machines, remote machine management software and remote control software) can be restricted to specific users or devices. Also restrict the use of PowerShell through execution policies to specific administrative accounts. Prevent untrusted code from executing through digital signature verification and set PowerShell execution policy to only execute signed scripts.
Implement MFA for and place strict controls on remote access
- Use of an MFA product helped restrict lateral movement and remote access in this case; organizations should do all they can to strengthen authentication for remote access, and to limit which systems can be accessed from outside the network through policies and network segmentation.
Use network filtering and network intrusion prevention to block unwanted remote access
- Block access to ports associated with remote access to critical segments of the network, restricting remote desktop access to servers specifically designated for that task. Use IPS filters to block inbound and outbound network traffic that could be connected to remote control, backdoors and data exfiltration. Create detections and alerts that are triggered by this type of activity.
Lock down Windows Registry editing
- Restrict who can modify hives or keys in Windows registry related to settings that can impact or be used to bypass security software and polices.
Link(s):
https://www.bleepingcomputer.com/ne...ed-it-calls-email-bombing-to-breach-networks/