Ransomware crew pose as Microsoft Teams IT support to steal logins and passwords

Cyber theft or Hybird Scam by hackers, scammers or call center gangs. Hacking security systems to steal digital assets or trick money transfers. Online business dangers. 3D rendering
(Image credit: Shutterstock)

Infamous cybercrime group Black Basta has enhanced one of its latest techniques for infiltrating organizations, gaining persistent access, and launching ransomware campaigns by involving Microsoft Teams.

The most recent technique is highly targeted, and involves using social engineering to 'spear-spam' an employee's email inbox with an overwhelming amount of junk, to the point where the inbox simply isn’t usable.

The attackers would then phone the employee and pretend to be the organization’s IT helpdesk, offering assistance with the spam affecting the video conferencing platform.

Spear-spam

While ‘helping’ the employee, the attackers will gain control of the victim’s device by installing the AnyDesk remote desktop software, or by launching the Windows Quick Assist tool, before deploying payloads that infect the device with ScreenConnect, NetSupport Manager, and Cobalt Strike. Through these payloads, the attackers would launch their typical ransomware attack.

However, in Black Basta’s latest twist to this technique, the group will instead contact the employee through Microsoft Teams using an external account set up to mimic the organization’s IT helpdesk using Entra ID tenants that appear legitimate if only glanced at. On further inspection however, they are clearly fake.

ReliaQuest, who observed the shift in tactic earlier this month, explained that Black Basta were using tenants appended with “*.onmicrosoft.com” such as “securityadminhelper.onmicrosoft[.]com” or

“Supportserviceadmin.onmicrosoft[.]com”. The attackers would also use the screen name “Help Desk” positioned to the center of the chat using whitespace characters, and added to a “OneOnOne” chat. The attackers would then continue with the attack, deploying payloads within files named “AntispamAccount.exe,” “AntispamUpdate.exe,” or “AntispamConnectUS.exe.”

ReliaQuest also observed a significant proportion of the fake Teams accounts originating from Russia, with many having time zone data mapped to Moscow. ReliaQuest recommends that system administrators and security pros set Microsoft Teams chats from external accounts to trusted domains only, and chat logging should be enabled.

Black Basta has been blamed for over 500 ransomware attacks worldwide, and has established itself as one of the most prolific ransomware-as-a-service providers. The group emerged early in 2022, and is likely composed of fragments of the Conti ransomware group that collapsed in the same year.

More from TechRadar Pro

Benedict Collins
Staff Writer (Security)

Benedict has been writing about security issues for over 7 years, first focusing on geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division), then continuing his studies at a postgraduate level, achieving a distinction in MA Security, Intelligence and Diplomacy. Upon joining TechRadar Pro as a Staff Writer, Benedict transitioned his focus towards cybersecurity, exploring state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.

Read more
Shutterstock.com / kanlaya wanon
Microsoft Teams abused in Russian email bombing ransomware campaign
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
Microsoft Teams and other Windows tools hijacked to hack corporate networks
Phishing
Russian cyberattackers spotted hitting Microsoft Teams with new phishing campaign
Ransomware
Top ransomware gang's internal chat logs leaked online
Image depicting hands typing on a keyboard, with phishing hooks holding files, passwords and credit cards.
Microsoft warns about a new phishing campaign impersonating Booking.com
A padlock resting on a keyboard.
Massive botnet is targeting Microsoft 365 accounts across the world
Latest in Pro
Epson EcoTank ET-4850 next to a TechRadar badge that reads Big Savings
I searched for the best printer deal you won't find in the Amazon Spring Sale
Microsoft Copiot Studio deep reasoning and agent flows
Microsoft reveals OpenAI-powered Copilot AI agents to bosot your work research and data analysis
Group of people meeting
Inflexible work policies are pushing tech workers to quit
Data leak
Top home hardware firm data leak could see millions of customers affected
Representational image depecting cybersecurity protection
Third-party security issues could be the biggest threat facing your business
An image of network security icons for a network encircling a digital blue earth.
Why multi-CDNs are going to shake up 2025
Latest in News
An image of Pro-Ject's Flatten it closed and opened
Pro-Ject’s new vinyl flattener will fix any warped LPs you inadvertently buy on Record Store Day
The iPhone 16 Pro on a grey background
iPhone 17 Pro tipped to get 8K video recording – but I want these 3 video features instead
EA Sports F1 25 promotional image featuring drivers Oscar Piastri, Carlos Sainz and Oliver Bearman.
F1 25 has been officially announced, with this year's entry marking a return for Braking Point and a 'significant overhaul' for My Team mode
Garmin clippd integration
Garmin's golf watches just got a big software integration upgrade to help you improve your game
Robert Downey Jr reveals himself as Doctor Doom to a delighted crowd at San Diego Comic-Con 2024
Marvel is currently revealing the full cast for Avengers: Doomsday, and I think it's going to be a long-winded announcement
Samsung QN90F on yellow background
Samsung announces US prices for its 2025 mini-LED TV lineup, and it’s good and bad news