Sophos MDR is investigating two threat clusters, STAC5143 and STAC5777, that use Microsoft Office 365 to gain access to organizations and deploy ransomware. Both clusters employ email bombing and fake tech support social engineering, exploiting default Microsoft Teams configurations to initiate chats and deploy malware. STAC5143 exhibits similarities to FIN7, while STAC5777 overlaps with Microsoft-identified threat actor Storm-1811 and has deployed Black Basta ransomware.