Share this article

Latest news

With KB5043178 to Release Preview Channel, Microsoft advises Windows 11 users to plug in when the battery is low

Copilot in Outlook will generate personalized themes for you to customize the app

Microsoft will raise the price of its 365 Suite to include AI capabilities

Death Stranding Director’s Cut is now Xbox X|S at a huge discount

Outlook will let users create custom account icons so they can tell their accounts apart easier

The Black Basta ransomware group attacks organizations using Microsoft Teams support accounts

The group was spotted attacking organizations in October 2024.

2 min. read

Published onNovember 5, 2024

published onNovember 5, 2024

Share this article

Read our disclosure page to find out how can you help Windows Report sustain the editorial teamRead more

The Black Basta ransomware group now employs a new social engineering tactic to compromise Microsoft Teams accounts with email spam and Teams messages containing malicious QR codes. Security expert ReliaQuest discovered the new cyberattack strategies, which the company detailed inits new blog post.

This is a departure from Black Basta’s previous tactics, which primarily involvedgaining initial access to a victim’s network via exposed remote management toolsand then deploying Cobalt Strike beacons used for lateral movement and data exfiltration.

In October 2024, ReliaQuest responded to an alert for Impacket activity, a set of tools for manipulating Windows Active Directory authentication protocols. During the investigation, the company discovered a broader trend: a campaign of escalated social engineering tactics associated initially with Black Basta. As part of a wide-ranging email spam campaign, the attackers are also sending Microsoft Teams messages to targeted users.

The underlying motivation is likely to lay the groundwork for follow-up social engineering techniques, convince users to download remote monitoring and management (RMM) tools, and gain initial access to the targeted environment. Ultimately, the attackers’ end goal in these incidents is almost certainly the deployment of ransomware.

ReliaQuest says Black Basta’s ransomware campaign poses a “significant threat” to organizations using Microsoft Teams. According to the company, the attackers are targeting many of ReliaQuest’s customers across diverse sectors and geographies with “alarming intensity. ” In one incident, ReliaQuest observed approximately 1,000 emails bombarding a single user within 50 minutes.

The company agrees that the sheer volume of activity is uniquely high, and the company attributes the incidents to Black Basta with “high confidence” due to commonalities in domain creation and Cobalt Strike configurations.

In July, after the Kaseya attack that affected hundreds of companies, Black Basta announced that it would move away from supply chain-based attacks and instead focus on exploiting active vulnerabilities in on-premises solutions. While Black Basta has not launched significant new ransomware campaigns, the group has been active recently.

More about the topics:Cybersecurity,Microsoft Teams

Flavius Floare

Tech Journalist

Flavius is a writer and a media content producer with a particular interest in technology, gaming, media, film and storytelling.

He’s always curious and ready to take on everything new in the tech world, covering Microsoft’s products on a daily basis. The passion for gaming and hardware feeds his journalistic approach, making him a great researcher and news writer that’s always ready to bring you the bleeding edge!

User forum

0 messages

Sort by:LatestOldestMost Votes

Comment*

Name*

Email*

Commenting as.Not you?

Save information for future comments

Comment

Δ

Flavius Floare

Tech Journalist

Flavius is a writer and a media content producer with a particular interest in technology, gaming, media, film and storytelling.