Ransomware crew pose as Microsoft Teams IT support to steal logins and passwords

Black Basta targeting Microsoft Teams users

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Infamous cybercrime group Black Basta has enhanced one of its latest techniques for infiltrating organizations, gaining persistent access, and launchingransomwarecampaigns by involvingMicrosoftTeams.

The most recent technique is highly targeted, and involves using social engineering to ‘spear-spam’ an employee’s email inbox with an overwhelming amount of junk, to the point where the inbox simply isn’t usable.

The attackers would then phone the employee and pretend to be the organization’s IT helpdesk, offering assistance with the spam affecting thevideo conferencingplatform.

Spear-spam

While ‘helping’ the employee, the attackers will gain control of the victim’s device by installing the AnyDeskremote desktop software, or by launching the Windows Quick Assist tool, before deploying payloads that infect the device with ScreenConnect, NetSupport Manager, and Cobalt Strike. Through these payloads, the attackers would launch their typical ransomware attack.

However, in Black Basta’s latest twist to this technique, the group will instead contact the employee through Microsoft Teams using an external account set up to mimic the organization’s IT helpdesk using Entra ID tenants that appear legitimate if only glanced at. On further inspection however, they are clearly fake.

ReliaQuest, who observed the shift in tactic earlier this month, explained that Black Basta were using tenants appended with “*.onmicrosoft.com” such as “securityadminhelper.onmicrosoft[.]com” or

“Supportserviceadmin.onmicrosoft[.]com”. The attackers would also use the screen name “Help Desk” positioned to the center of the chat using whitespace characters, and added to a “OneOnOne” chat. The attackers would then continue with the attack, deploying payloads within files named “AntispamAccount.exe,” “AntispamUpdate.exe,” or “AntispamConnectUS.exe.”

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

ReliaQuest also observed a significant proportion of the fake Teams accounts originating from Russia, with many having time zone data mapped to Moscow. ReliaQuest recommends that system administrators and security pros set Microsoft Teams chats from external accounts to trusted domains only, and chat logging should be enabled.

Black Basta has been blamed for over 500 ransomware attacks worldwide, and has established itself as one of the most prolific ransomware-as-a-service providers. The group emerged early in 2022, and is likely composed of fragments of the Conti ransomware group that collapsed in the same year.

More from TechRadar Pro

Benedict has been writing about security issues for over 7 years, first focusing on geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division),  then continuing his studies at a postgraduate level, achieving a distinction in MA Security, Intelligence and Diplomacy. Upon joining TechRadar Pro as a Staff Writer, Benedict transitioned his focus towards cybersecurity, exploring state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.

Cybersecurity is business survival and CISOs need to act now

The real battle for generative AI in software

HPE reveals critical security bug affecting networking access points