Why trust Greenbot
The ransomware group Black Basta has begun exploiting Microsoft Teams to infiltrate corporate networks, posing as IT support staff in chat to deceive employees. In these impersonated help desk conversations, Black Basta convinces workers to install remote support tools that pave the way for ransomware deployment. Cybersecurity firm ReliaQuest describes this tactic as a sophisticated leap in social engineering, highlighting the group’s evolving and more deceptive approach to bypassing corporate defenses.
A Shift in Strategy
Black Basta has ramped up operations by flooding employee inboxes with harmless but excessive emails to overwhelm the target and create a sense of urgency. This approach, which cybersecurity experts call “spear-spam,” fills a victim’s inbox with newsletters and sign-up confirmations until it becomes nearly unusable. Previously, Black Basta followed up with phone calls to pose as IT support.
However, the group now capitalizes on Microsoft Teams to achieve the same end, leveraging external accounts with display names like “Help Desk” to deceive employees. These accounts are set up under Entra ID tenants and often carry domains that appear legitimate at a glance but use subtle signs of fakery, such as spacing tricks and “*.onmicrosoft.com” extensions.
The group’s approach on Teams is designed to appear as internal help desk support reaching out to resolve the spam issue. ReliaQuest’s research shows that these external Teams accounts typically originate from Russian Entra ID tenants, with time zone data linked to Moscow. Once contact is established, Black Basta persuades employees to install remote support tools like AnyDesk or activate Windows Quick Assist.
Once they have access, Black Basta installs a series of payloads—including ScreenConnect, NetSupport Manager, and Cobalt Strike—to secure control and move laterally across the network.
The ransomware group’s latest tactic has drawn attention for its nuanced understanding of corporate environments. “These external users set their profiles to a ‘DisplayName’ designed to make the targeted user think they were communicating with a help-desk account,” ReliaQuest stated.
Their end goal remains the same: encrypt corporate data and demand ransom for its release. However, Black Basta has reportedly incorporated new elements, including QR codes sent through Teams chats, though the specific role of these codes in the attacks remains uncertain.
Security Recommendations
With an estimated 500 ransomware attacks globally, Black Basta has become a formidable player in ransomware-as-a-service. The group’s origins trace back to the Conti syndicate, which disbanded in 2022. Black Basta’s continued adaptation of their tactics, now targeting trusted internal communication tools, serves as a reminder that threat actors are constantly evolving their strategies to exploit even the most secure-seeming channels.
With this fresh threat looming, cybersecurity experts advise companies to restrict Teams access from external domains and enable logging for potentially suspicious activities. “ReliaQuest recommends that system administrators and security pros set Microsoft Teams chats from external accounts to trusted domains only, and chat logging should be enabled,” according to their latest advisory.
This shift in tactics shows the need for organizations to remain vigilant and proactive, implementing comprehensive cybersecurity measures. As ransomware attacks continue to evolve, awareness and prevention are the first lines of defense against increasingly sophisticated threats.
