Spoofed IT Calls and Email Bombing: A Dangerous New Frontier in Ransomware Attacks

By Ryan Lawyer, VP of Information Systems | Integrated Technical Solutions

In the ever-shifting landscape of cybercrime, attackers are becoming more creative—leveraging human trust as a primary attack vector. The 3AM ransomware group’s latest tactics mark a chilling evolution in how threat actors infiltrate environments, especially those in high-stakes industries like healthcare, government, and education.

Recent reporting from BleepingComputer sheds light on how this group combines email bombing with spoofed IT help desk calls to create a realistic, high-pressure scenario that tricks users into surrendering remote access.

This blog will break down what happened, why it matters, and—most importantly—what your organization can do about it.

The Anatomy of the Attack

1. Email Bombing as a Distraction

The attack begins with a barrage of automated spam messages—hundreds of junk emails sent within minutes to a single employee’s inbox. This is done intentionally to clutter the inbox, push legitimate IT emails out of view, and create stress or confusion for the target.

2. Spoofed IT Department Phone Call

Shortly after the email flood, the employee receives a phone call from someone claiming to be from the internal IT department. The timing is strategic: the caller claims to be aware of the issue (“We saw a spike in your account activity and noticed your inbox was hit”) and offers help to resolve it.

The call is typically friendly, urgent, and professional. In many cases, the attacker will spoof the organization's internal caller ID to appear legitimate.

3. Remote Access and Ransomware Deployment

Under the guise of tech support, the attacker asks the user to install a remote access tool—commonly legitimate software like AnyDesk, TeamViewer, or ScreenConnect. Once access is granted, data can be exfiltrated, and a ransomware payload is silently deployed.

This type of social engineering bypasses antivirus, EDR, and even MFA, because it exploits the human layer of defense: trust.

Why This Works—Especially in Healthcare and SMB Environments

Organizations in healthcare, government, or education often have:

• Overworked help desks with limited caller verification protocols

• Staff who aren't deeply technical but rely heavily on IT

• A culture of compliance—employees are trained to follow instructions from authority figures, including “IT”

Even tech-savvy users can be caught off guard when the attack is framed as a helpful response to an issue they’re actively experiencing (inbox overload), giving the interaction a sense of urgency and legitimacy.

Real-World Parallels

This isn’t an isolated event. A similar technique was used in the 2023 MGM Resorts breach, where attackers called the help desk impersonating an employee and requested a password reset. The result? Multiple systems went down, including hotel key card systems, reservation platforms, and gaming systems—leading to an estimated $100 million in damages.

If a multinational like MGM can fall for a voice-based social engineering attack, so can small businesses, rural clinics, and school districts.

How to Defend Against Spoofed IT Attacks

Mitigating these threats requires more than just awareness—it requires enforceable, written policy and process. Here’s what every organization should implement:

1. Caller Verification Protocol

Establish a multi-step verification process for IT-related calls. This could include:

• Verifying a support ticket number

• Requesting the caller use Microsoft Teams or internal messaging systems to verify their identity

• Requiring employees to call the IT department back via a published internal number rather than accepting incoming requests

2. Restrict Remote Access Tools

Only allow remote access via company-approved and monitored platforms. Block or alert on known consumer tools like AnyDesk, TeamViewer, and others. Endpoint protection tools like SentinelOne, CrowdStrike, or even Microsoft Defender for Endpoint can be configured to block unapproved binaries or trigger alerts.

3. Create a “Pause and Validate” Culture

Train staff to treat all unscheduled tech support calls as suspect—even if they seem helpful. Your policy should explicitly empower employees to hang up, report the incident, and wait for confirmation from known channels.

4. Email Bomb Protection

Use mail filtering solutions (e.g., Microsoft Defender for Office 365, Proofpoint, Mimecast) that can recognize and throttle massive volumes of similar emails. Consider rate-limiting inbound messages or quarantining known spam patterns to keep inboxes usable during an attack.

5. Run Tabletop Exercises

Conduct quarterly phishing and spoofed-call simulations. These low-cost, high-impact drills help employees recognize red flags under pressure and reinforce the policy without needing an incident to occur.

Final Thoughts: This Isn't Just a Phishing Problem—It's a Trust Problem

Spoofed IT attacks like those used by the 3AM ransomware group weaponize the inherent trust between users and internal support teams. And while firewalls and antivirus are still important, they don’t protect your users from handing over the keys willingly.

At Integrated Technical Solutions, we’re helping clients revise their incident response plans and implement identity validation protocols to fight back against this new class of threat.

If your organization doesn’t have a formal verification policy for IT communication, now is the time to fix that.

Let’s build networks that are not only secure—but human-aware.

Need help strengthening your organization’s remote access and verification policies? Contact us today to schedule a cybersecurity risk review.

#Cybersecurity #Ransomware #SocialEngineering #HealthcareIT #SecurityPolicy #MSP #EmailSecurity #ITSupport #ZeroTrust