Vishing and Email Bombing: Ransomware Attackers Evolve with Deceptive Tactics

Ransomware attackers are increasingly employing sophisticated tactics such as “email bombing” — flooding targets with thousands of emails within an hour — and “vishing,” or fraudulent voice messages, to breach company networks and steal data, according to cybersecurity firm Sophos.

Sophos X-Ops published a report in January highlighting these coordinated attacks, revealing that at least 15 companies had fallen victim. Subsequently, over 55 additional attempted attacks were identified. In many cases, attackers impersonated Microsoft Teams tech support to gain remote access to employee computers and deploy ransomware from within.

A separate ransomware group known as “ThreeAM” has also adopted similar attack chains. The group’s tactics include deploying virtual machines on vulnerable systems to remain hidden from endpoint protection software. They then gather employee email addresses and phone numbers, spoof internal help desk numbers using Voice-over-IP calls, and observe the system for up to nine days before executing the ransomware attack.

Sean Gallagher, Principal Threat Researcher at Sophos, stated: “By combining vishing and email bombing, ransomware attackers are becoming even more formidable. The ThreeAM ransomware group is also leveraging remote encryption, making them difficult to detect with conventional security software. Given their refined techniques, it’s likely that this wave of vishing and email bombing will remain active.”

The findings underscore a growing need for advanced threat detection and increased vigilance among enterprises, as attackers continue to refine their social engineering strategies to bypass traditional cybersecurity defenses.