Black Basta Leverages Microsoft Teams for Advanced Social Engineering Ransomware Tactics

October 29, 2024 | OP Innovate

Several cybersecurity publications and experts are warning against a new tactic being used by  Black Basta ransomware operators – leveraging Microsoft Teams as part of their social engineering arsenal. 

100s of organizations have been targeted throughout October, mainly from sectors who are common targets for ransomware campaigns, including finance, tech, and government contractors.

This tactic presents a serious risk for any organization that uses Microsoft Teams for internal collaboration, especially those with less mature security controls. Hybrid and remote workforces are particularly vulnerable, as employees may be more likely to trust communications coming from platforms like Teams, often without verifying the identity of external contacts..

Overview of the New Attack Strategy

Black Basta, active since April 2022, is notorious for using spam and social engineering techniques to infiltrate corporate networks. In recent months, the group has been known for overwhelming users with mass email spam and then posing as IT support over the phone. 

However, October 2024 marked a tactical shift. While attackers still leverage mass email campaigns to overwhelm targets, they are also now contacting victims directly through  Microsoft Teams, mimicking IT help desks to gain remote access to sensitive systems.

How the Attack Unfolds

1. Email Bombardment: Attackers begin by flooding users’ inboxes with non-malicious spam (e.g., newsletters, registration confirmations). The aim is to overwhelm the target and increase the likelihood they’ll seek support. The email subject lines associated with this campaign are often similar and include:

• “Your account has been created”
• “Welcome to XYZ”
• “Thank you for registering”
• “Please verify your email”
• “Special offer for you”

2. Microsoft Teams Impersonation: Instead of following up with a phone call, the attackers now contact users through Teams chats. Despite contacting users from external accounts, the attackers can successfully appear legitimate by maniupalting their display name (e.g., “Help Desk”) within Teams. They typically use accounts with naming patterns like:
   • securityadminhelper.onmicrosoft[.]com
   • supportadministrator.onmicrosoft[.]com
   • Cybersecurityadmin.onmicrosoft[.]com
     
3. Deploying a Remote Access Tool: The attackers then offer to provide remote support to the victims, giving them links to tools like Quick Assist and AnyDesk, which allow them to remotely access the victim’s machine. In some cases, users are also sent QR codes, possibly leading to malicious infrastructure, though the exact purpose of these codes remains unknown.
   
4. Credential Harvesting and Lateral Movement: Once connected to the victim’s machine, attackers install malware that allows them to retain access, and move laterally across the network. The malware being used includes:
   • Cobalt Strike (for persistence and lateral movement)
   • SystemBC (proxy malware)
   • Credential-stealing payloads such as “AntispamAccount.exe” and “AntispamConnectUS.exe.”

Why Microsoft Teams is a Vulnerable Attack Vector

The use of Microsoft Teams introduces new risks for organizations, as it allows for real-time engagement with employees that is harder to detect than traditional phishing emails. Many organizations leave external communication open by default in Teams, enabling attackers to masquerade as trusted contacts.

Teams vulnerabilities exploited in these attacks include:

• External account spoofing: Attackers create accounts using Entra ID tenants that resemble legitimate IT accounts.
• Lack of identity verification: Employees often assume messages received through Teams are from trusted sources.
• Unrestricted remote access: Collaboration tools like Teams make it easier for attackers to direct users to install RMM tools under false pretenses.

Impact on Organizations

Black Basta’s shift to Microsoft Teams allows them to bypass traditional email security tools. The impersonation of help desk staff introduces a greater level of trust than phishing emails, making it easier to deceive employees. 

ReliaQuest, a leading threat research firm, has reported hundreds of incidents across industries, including attacks on companies like Capita and Southern Water, with damages exceeding $15 million.

Mitigation Strategies

To defend against these evolving threats, OP Innovate recommends IT admins to take the following proactive measures:

1. Disable external communications within Teams:

To do so, follow these steps (source: Microsoft)

1. In the Teams admin center, go to Users > External access.
2. Turn off the People in my organization can communicate with Teams users whose accounts aren’t managed by an organization setting.
3. Select Save.

If external collaboration is necessary, allow only trusted domains.

2. Enable Logging and Alerts: Ensure that Teams ChatCreated events are logged to help detect suspicious activity.
3. Strengthen Anti-Spam Policies: Implement aggressive spam filters to prevent inbox flooding.
4. Educate Employees: Conduct regular training on social engineering tactics to raise awareness about phishing and the latest threats.
5. Control RMM Tools Usage: Block unauthorized remote access tools like AnyDesk and ensure that only approved software is used for IT support.
6. Monitor for Cobalt Strike Beacons: Keep an eye out for post-exploitation activity and configure detection rules to identify suspicious domains and subdomains.

Who is Black Basta?

Black Basta emerged as a ransomware operator in early 2022 and quickly established itself as one of the most aggressive Ransomware-as-a-Service (RaaS) groups. Within its first few months, Black Basta racked up over 100 victims worldwide, targeting organizations in the U.S., Japan, Canada, the U.K., Australia, and New Zealand. 

Known for targeted, high-profile attacks, the group avoids indiscriminate phishing. Instead, it focuses on double extortion tactics—encrypting data and threatening to leak sensitive information on their public website unless a ransom is paid.

Ties to Conti and FIN7

Experts believe Black Basta evolved from the now-defunct Conti ransomware group. The two groups share similar malware development styles, leak sites, and negotiation techniques. Black Basta also shows overlap with the FIN7 (Carbanak) group, particularly through custom tools designed to evade Endpoint Detection and Response (EDR) solutions and shared command-and-control (C2) infrastructure.

Early Black Basta attacks leveraged QakBot (QBot) malware for credential theft, Cobalt Strike beacons for lateral movement, and Rclone for data exfiltration. These tactics largely remain present to this day, as shown in the latest wave of attacks.

The group has also previously exploited high-impact vulnerabilities like ZeroLogon, NoPac, and PrintNightmare to escalate privileges within victim networks. Black Basta targets both Windows and Linux-based VMware ESXi virtual machines, showcasing versatility in adapting its ransomware to different environments.

Suspecting a Breach? Contact OP Innovate

If you suspect that your organization has been targeted or compromised by Black Basta or any other sophisticated threat actor, OP Innovate is here to help. Our Incident Response (IR) team is equipped with the tools, expertise, and processes to contain threats swiftly and mitigate damage.

We specialize in handling complex breaches, including those involving ransomware attacks, social engineering, and advanced persistent threats (APTs). Our rapid-response framework ensures minimal downtime and thorough investigation, helping you regain control and resume operations as quickly as possible.

We are regularly involved in high-stakes incident response engagements. Here is a recent example where we employed advanced social engineering techniques to trace the root cause of a breach and outmaneuver the threat actor.