.svg?width=185&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Home"){kind=logo}
.svg?width=13&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Top Navigation - Sign in - Icon")
Discover how the 3AM ransomware group is using email bombing, voice phishing, and remote tools like Microsoft Teams and Quick Assist to breach organizations in 2025. Sophos experts Blair Dunbar and John Shier break down real attacks, reveal trends from the State of Ransomware report, and share actionable tips to protect your business from advanced threats.
Video Summary: Skip navigation Search Create Avatar image Inside 3AM Ransomware Tactics and How to Defend Against Real-World Attacks in 2025
00:03 Introduction
Hi everyone, and welcome to Cyber Shorts with Sophos, a LinkedIn Live series focused on bringing you insights into trending cybersecurity topics.
Today we’re sharing some of those insights and explaining how you can use them to better educate and defend your organization from cyber threats.
I’m Blair Dunbar, and I lead communications for the Sophos X-Ops team. Joining me today is John Shier, Sophos Field CISO.
John, thanks for being here.
00:34 Ransomware tactics are evolving
Ransomware attacks are often crimes of opportunity. Attackers frequently exploit low-hanging fruit, such as unpatched software or exposed remote access points.
However, adversaries are increasingly raising the stakes with more targeted, hands-on tactics.
Two techniques we’ve been seeing more frequently are email bombing and vishing, which attackers are using as part of ransomware campaigns.
01:02 What is email bombing?
Email bombing is an attack where a victim receives an extremely large number of messages within a very short period of time.
The goal is to overwhelm the recipient’s inbox, making it difficult to identify legitimate messages and disrupting normal work.
While this tactic has historically been associated with harassment or denial-of-service attacks, cybercriminals are now using it as part of broader ransomware campaigns.
01:30 What is vishing?
Voice phishing, or vishing, involves attackers calling victims directly and impersonating a trusted entity, such as IT support.
Just like phishing emails, these calls create a sense of urgency or fear to pressure victims into complying with requests or sharing sensitive information.
Because phone calls feel more personal and credible than emails, they can be highly effective.
02:16 Why attackers combine these tactics
Attackers are increasingly combining email bombing and vishing because the approach works.
In many cases, the flood of emails serves as a pretext for the phone call.
After the victim’s inbox is overwhelmed, the attacker contacts them pretending to be from the IT department and offers to help resolve the issue.
In essence, the attackers create the problem first and then present themselves as the solution.
03:10 Real-world attacks observed by Sophos
Sophos Managed Detection and Response observed 15 incidents in late 2024 that used both of these techniques.
In one case, a victim received more than 3,000 emails in 45 minutes, followed by a Microsoft Teams call from an account posing as a help desk manager.
During the call, the attacker convinced the employee to allow remote screen control through Teams, which enabled the attacker to execute malware and deploy malicious files from an external SharePoint repository.
05:02 Remote access abuse and persistence
In several incidents, attackers instructed victims to install Microsoft Quick Assist, a legitimate remote access tool.
Once access was granted, the attackers established remote sessions that allowed them to:
- Execute malicious commands
- Move laterally through the network
- Establish command-and-control infrastructure
- Attempt to disable security tools
In one case, attackers attempted to deploy Black Basta ransomware, which was successfully blocked by Sophos protections.
06:23 Groups using these techniques
Several threat groups have used these tactics, including Black Basta and FIN7.
More recently, the 3AM ransomware group has also used similar techniques, including spoofed phone calls that appear to originate from an organization’s internal IT department.
In one attack, the adversary remained inside the network for nine days before attempting to deploy ransomware.
08:06 The current state of ransomware
Ransomware continues to pose a major threat to organizations.
The latest Sophos State of Ransomware report shows that the most common root causes of attacks are:
- Exploited vulnerabilities
- Compromised credentials
In fact, 38% of organizations reported that attacks were caused by known security gaps that had not been addressed.
Encouragingly, data encryption rates are declining, suggesting organizations are improving their ability to stop attacks earlier.
However, nearly half of victims still report paying a ransom, and many respondents report increased stress and anxiety as a result of ransomware incidents.
10:04 How organizations can defend themselves
Organizations should focus on preventing attacks, monitoring environments, and responding quickly when incidents occur.
Key recommendations include:
- Restrict external access features in collaboration platforms such as Microsoft Teams
- Use application controls to block unauthorized remote access tools
- Increase employee awareness of emerging attack techniques like vishing
- Integrate Microsoft 365 telemetry with security tools to detect suspicious activity
- Maintain a tested incident response plan
By preventing risks, monitoring activity, and responding effectively, organizations can significantly reduce the impact of ransomware attacks.
11:37 Closing
Thank you, John, and thank you to everyone who joined us today.
Stay tuned for future Cyber Shorts episodes, and for more insights be sure to read our blog and follow Sophos on social media.