Black Basta Exploits Microsoft Teams for Phishing Attacks

NVISO Labs has uncovered a sophisticated phishing campaign attributed to the ransomware group Black Basta, leveraging Microsoft Teams as a vector for social engineering attacks. This campaign demonstrates the group’s ingenuity in exploiting both email and collaboration tools to infiltrate organizational networks.

The campaign begins with an email bombing strategy where victims’ inboxes are flooded with benign spam emails, such as newsletter subscriptions. This tactic aims to distract users and mask the malicious intent. Shortly afterward, attackers pose as Help Desk or IT Support personnel via Microsoft Teams, initiating one-on-one chats with their targets. According to the report, “the adversary convinces the victim to provide access via RMM tools either native (Quick Assist) or third party like AnyConnect.”

Black Basta Attacks — The attack flow | Source: NVISO Labs

Once remote access is granted, the attackers escalate their activities by disabling security controls, exfiltrating sensitive data, and deploying malware.

The report highlights several detection points that can aid in identifying and mitigating these attacks:

Spikes in Incoming Emails: Detect unusual volumes of incoming emails classified as spam or phishing.
Suspicious Display Names: Monitor for keywords like “Help Desk” or “Support” in display names within Teams.
RMM Tool Usage: Investigate the use of remote management tools, which may signal malicious activity.
Chat Creation Timelines: NVISO Labs provides a query to detect Microsoft Teams chats initiated within three hours of an email bombing campaign targeting the same user.

NVISO Labs advises organizations to remain vigilant and adopt a proactive approach. By correlating detection signals from emails and Teams activity, security teams can thwart attackers before they gain a foothold.

Leave a Reply Cancel reply

Website

Related Posts:

Leave a Reply Cancel reply