Sagrid

Sagrid, also known as Storm-0324 and TA543, is a notorious threat actor known for its financially motivated cyberattacks. The group has been recently observed exploiting vulnerabilities in Microsoft Teams, the widely-used collaboration app, to conduct sophisticated phishing operations. Using an open-source red-team tool called TeamsPhisher, Sagrid not only disseminated malicious content but also created pathways for subsequent cyber-attacks. Their activities have been meticulously tracked by the Microsoft Threat Intelligence Team, who have highlighted their actions in recent reports. The group operates as an initial access broker, utilizing email-based infection vectors to breach targets. They are particularly known for selling these accesses to ransomware operations such as FIN7, also known as Sangria Tempest, ELBRUS, and Carbon Spider. This pattern of breaching systems via phishing emails and then passing on the access to ransomware groups underscores the group's financial motivations and their role in facilitating more extensive cyber threats. Microsoft has issued warnings about a new phishing campaign conducted by this group, highlighting the risk posed to users of its O365 environment. The tech giant’s Threat Intelligence team continues to track the activities of this cluster under the names Storm-0324, TA543, and Sagrid. The group's exploitation of latent vulnerabilities in popular applications like Microsoft Teams demonstrates their capability to adapt and poses a significant challenge to cybersecurity efforts.