In October 2024, the Black Basta ransomware operation began using the Microsoft Teams collaboration platform to conduct social engineering attacks, impersonating IT support to deceive employees and gain access to corporate networks. This shift in their tactics demonstrates how cybercriminals evolve and adapt their methods to bypass corporate defenses.
The evolution of the Black Basta attack
Active since April 2022, Black Basta has been responsible for hundreds of attacks on companies worldwide. After the shutdown of the Conti group in 2022, some of its members formed new operations, including Black Basta. This organization has employed infiltration methods that include exploiting vulnerabilities, using botnets, and, notably, social engineering.
One previous tactic involved flooding employees’ inboxes with thousands of spam emails (newsletters, registration confirmations, etc.) and then calling, impersonating the technical support department, to offer help. Through this false assistance, they managed to have employees install remote access tools like AnyDesk, allowing them to introduce additional malware and gain access to devices on the corporate network.
The new approach: Microsoft Teams
In their latest strategy, Black Basta affiliates are using Microsoft Teams to directly contact employees. According to a report by ReliaQuest, the attackers create external accounts on the Entra ID platform, which mimic support users with screen names like “Help Desk” or “Security Admin.” Once the account is created, the attackers reach out to their targets via Teams, using a one-on-one chat (“OneOnOne”), which adds credibility to their false technical support role.
To make their profile more believable, they use names like “securityadminhelper.onmicrosoft[.]com” and “supportadministrator.onmicrosoft[.]com,” which contain keywords suggesting technical support. In some cases, they even send QR codes that link to malicious domains, such as qr-s1[.]com, although the exact purpose of these QR codes has not been clearly determined.
Objective: remote access and full control
As with their previous tactic, the end goal is to get the user to install AnyDesk or run Windows Quick Assist, providing the cybercriminals with remote access. Once inside the device, the attackers install files with names like “AntispamAccount.exe” and “AntispamConnectUS.exe.” These files have been identified by researchers as variants of SystemBC, a proxy malware previously used by Black Basta. Finally, the attackers deploy Cobalt Strike, an advanced remote access tool that allows them to move laterally through the network, steal data, and execute ransomware on multiple devices within the organization.
Security recommendations to avoid these attacks
ReliaQuest has issued recommendations to protect organizations from this type of attack:
- Restrict external communication in Microsoft Teams: Limit the ability for external users to contact employees through Microsoft Teams. If necessary, allow only communications from specific and verified domains.
- Enable activity logs: Turn on event logging in Microsoft Teams, especially to detect the creation of chats (“ChatCreated event”) and thus identify potential suspicious interactions.
Conclusion
This Black Basta case serves as a reminder of the importance of staying alert to increasingly sophisticated attack methods. Business communication platforms can be exploited by cybercriminals, and it is essential for organizations to strengthen access controls, monitor unusual events, and train their employees in cybersecurity. Proactivity is key to detecting and preventing attacks that seek to exploit user trust and the remote work environment.
Indicators of Compromise