Black Basta ransomware affiliates are continuing to deceive enterprise employees into installing remote access tools by impersonating help desk staff, now also using Microsoft Teams as a channel.
Earlier this year, Black Basta used a social engineering tactic involving a flood of spam emails—often automated confirmations or notifications—to a target employee’s inbox, followed by a phone call in which the attacker posed as the organization’s IT help desk to offer assistance.
Recently, however, they’ve expanded to using Microsoft Teams to contact potential victims.
After mass spam events, targeted users were added to Microsoft Teams chats with external accounts. These external users created Entra ID tenants to impersonate support, admin, or help desk staff.
In nearly all cases we observed, the display name included the term ‘Help Desk,’ often padded with whitespace to center it within the chat. Typically, targeted employees were added to a ‘OneOnOne’ chat.
The main objective is to persuade targeted employees to install remote monitoring and management tools, like QuickAssist or AnyDesk, under the guise of providing support. However, the real intent is to gain initial access to the targeted system, allowing the attackers to install credential-stealing malware and network scanning tools.
Additionally, the targets are directed to domains hosting pages with QR codes, though their purpose remains unclear. It’s plausible these codes lead users to additional malicious infrastructure.
What Companies Can Do To Protect Themselves
Email inbox spamming is easily facilitated through dark web spam services, while reaching targeted employees via Microsoft Teams is straightforward if the organization hasn’t restricted communication from external tenants or domains. (Malware can also be delivered through Teams.)
Researchers linked these attacks to Black Basta due to similarities in domain creation and Cobalt Strike configurations, though they note that other threat actors are also exploiting this method.
It’s recommended that organizations disable external communications in Teams or limit it to specific trusted domains. Additionally, managed IT services companies suggest adjusting email anti-spam policies, enabling Teams logging to support investigations, setting rules to flag phishing attempts and suspicious activities, and educating employees on recent threats.
Cybersecurity for Small and Medium Sized Businesses
If your organization has been targeted by a Black Basta cyber attack, it’s critical to act quickly to minimize potential damage. Partnering with a trusted IT provider can help your business assess the situation, remove malicious access points, and bolster your security against future threats. A professional IT team can guide you through the necessary steps to contain and resolve the issue, implement stronger preventative measures, and provide ongoing support to safeguard your digital environment. Don’t hesitate to reach out to a qualified IT provider to ensure a thorough response and recovery plan. Get in touch with us now.
