A range of ransomware groups have been seen spoofing IT support numbers or abusing default Teams credentials in social engineering attacks over the past 18 months.
The group "register their own MFA tokens [and] add a federated identity provider to the victim’s SSO tenant and activate automatic account linking..."