Black Basta Ramps Up Attacks with Microsoft Teams Social Engineering
TrollEye Security
Empowering continuous security insight for unlimited growth.
The Black Basta ransomware group has recently escalated its attacks on organizations by shifting its social engineering tactics to Microsoft Teams, according to a new report by ReliaQuest. Known for launching widespread ransomware campaigns since April 2022, Black Basta’s latest strategy sees attackers posing as corporate IT support through Microsoft Teams, deceiving employees into granting remote access to their devices.
Black Basta emerged from the remnants of the infamous Conti cybercrime syndicate, which disbanded in June 2022 after suffering internal data leaks. Since then, Black Basta has been responsible for hundreds of attacks worldwide, employing varied techniques to infiltrate corporate networks, including exploiting system vulnerabilities, leveraging botnets, and deploying sophisticated social engineering tactics.
In previous campaigns, Black Basta targeted employees with an overwhelming influx of spam emails, filling inboxes with non-malicious newsletters, sign-up confirmations, and verifications. Once users’ inboxes were flooded, attackers called them directly, posing as corporate help desk representatives offering to assist in managing the spam influx. Under this guise, they persuaded employees to install remote access tools like AnyDesk or use Windows Quick Assist, which ultimately allowed the attackers to deploy persistent malware, including ScreenConnect and Cobalt Strike, to gain full access to the corporate network.
The group has since refined its approach. Rather than phone calls, Black Basta now leverages Microsoft Teams to connect with employees, sending messages from external accounts that appear to be legitimate IT help desk contacts. The attackers, using aliases like "securityadminhelper.onmicrosoft[.]com" and "supportadministrator.onmicrosoft[.]com," engage employees in one-on-one chats designed to look official, with profiles carefully crafted to display titles such as "Help Desk" to lend credibility.
领英推荐
During these interactions, Black Basta members reportedly send QR codes to targets, linking to unknown domains, potentially leading to further exploit avenues. Once connected, victims may be coaxed into installing malware-laden applications named “AntispamAccount.exe” or “AntispamConnectUS.exe,” which ultimately result in the installation of Cobalt Strike—a tool that enables attackers to broaden their access across the network, escalate privileges, steal sensitive data, and deploy ransomware.
Researchers recommend that organizations restrict communication from external Microsoft Teams users and only allow interactions from trusted domains. Additionally, monitoring the creation of new chats and enabling detailed logging can help identify suspicious activities before they escalate.
With attackers shifting to increasingly sophisticated social engineering techniques, it is important to consider using comprehensive social engineering assessments tailored to prepare employees for exactly these types of sophisticated attacks. Our assessments simulate real-world phishing and impersonation attempts, training employees to recognize and respond to suspicious requests, whether over email, phone, or collaboration platforms like Microsoft Teams.
By regularly testing and educating your workforce, we help reinforce a critical line of defense against social engineering tactics, ensuring that your team is equipped to recognize and thwart potential security breaches before they impact your organization.