Ransomware crew pose as Microsoft Teams IT support to steal logins and passwords

Infamous cybercrime group Black Basta has enhanced one of its latest techniques for infiltrating organizations, gaining persistent access, and launching ransomware campaigns by involving Microsoft Teams.

The most recent technique is highly targeted, and involves using social engineering to ‘spear-spam’ an employee’s email inbox with an overwhelming amount of junk, to the point where the inbox simply isn’t usable.

The attackers would then phone the employee and pretend to be the organization’s IT helpdesk, offering assistance with the spam affecting the video conferencing platform.

Spear-spam

While ‘helping’ the employee, the attackers will gain control of the victim’s device by installing the AnyDesk remote desktop software, or by launching the Windows Quick Assist tool, before deploying payloads that infect the device with ScreenConnect, NetSupport Manager, and Cobalt Strike. Through these payloads, the attackers would launch their typical ransomware attack.

However, in Black Basta’s latest twist to this technique, the group will instead contact the employee through Microsoft Teams using an external account set up to mimic the organization’s IT helpdesk using Entra ID tenants that appear legitimate if only glanced at. On further inspection however, they are clearly fake.

ReliaQuest, who observed the shift in tactic earlier this month, explained that Black Basta were using tenants appended with “*.onmicrosoft.com” such as “securityadminhelper.onmicrosoft[.]com” or

“Supportserviceadmin.onmicrosoft[.]com”. The attackers would also use the screen name “Help Desk” positioned to the center of the chat using whitespace characters, and added to a “OneOnOne” chat. The attackers would then continue with the attack, deploying payloads within files named “AntispamAccount.exe,” “AntispamUpdate.exe,” or “AntispamConnectUS.exe.”

ReliaQuest also observed a significant proportion of the fake Teams accounts originating from Russia, with many having time zone data mapped to Moscow. ReliaQuest recommends that system administrators and security pros set Microsoft Teams chats from external accounts to trusted domains only, and chat logging should be enabled.

Black Basta has been blamed for over 500 ransomware attacks worldwide, and has established itself as one of the most prolific ransomware-as-a-service providers. The group emerged early in 2022, and is likely composed of fragments of the Conti ransomware group that collapsed in the same year.

Take a look at the best malware removalThe evolution of cybercrime: How ransomware became the weapon of choiceThese are the best password managers

Related posts

Finance giant Finastra warns clients of potential data breach

Let’s keep in touch: TCL CSOT is the biggest name in display tech that you’ve probably never heard of

If this Sonos TV streaming box report is right, it’s doomed before it ever launches

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More