• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Android Malware Konfety evolves with ZIP manipulation and dynamic loading

 | 

Belk hit by May cyberattack: DragonForce stole 150GB of data

 | 

North Korea-linked actors spread XORIndex malware via 67 malicious npm packages

 | 

FBI seized multiple piracy sites distributing pirated video games

 | 

An attacker using a $500 radio setup could potentially trigger train brake failures or derailments from a distance

 | 

Interlock ransomware group deploys new PHP-based RAT via FileFix

 | 

Global Louis Vuitton data breach impacts UK, South Korea, and Turkey

 | 

Experts uncover critical flaws in Kigen eSIM technology affecting billions

 | 

Spain awarded €12.3 million in contracts to Huawei

 | 

Patch immediately: CVE-2025-25257 PoC enables remote code execution on Fortinet FortiWeb

 | 

Wing FTP Server flaw actively exploited shortly after technical details were made public

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 53

 | 

Security Affairs newsletter Round 532 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

McDonald’s job app exposes data of 64 Million applicants

 | 

Athlete or Hacker? Russian basketball player accused in U.S. ransomware case

 | 

U.S. CISA adds Citrix NetScaler ADC and Gateway flaw to its Known Exploited Vulnerabilities catalog

 | 

UK NCA arrested four people over M&S, Co-op cyberattacks

 | 

PerfektBlue Bluetooth attack allows hacking infotainment systems of Mercedes, Volkswagen, and Skoda

 | 

Qantas data breach impacted 5.7 million individuals

 | 

DoNot APT is expanding scope targeting European foreign ministries

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Cyber Crime
  • Hacking
  • Malware
  • Black Basta affiliates used Microsoft Teams in recent attacks

Black Basta affiliates used Microsoft Teams in recent attacks

Pierluigi Paganini October 28, 2024

ReliaQuest researchers observed Black Basta affiliates relying on Microsoft Teams to gain initial access to target networks.

ReliaQuest researchers warn that Black Basta ransomware affiliates switched to Microsoft Teams, posing as IT support to deceive employees into granting access.

The BlackBasta ransomware operators were spotted posing as corporate help desks and contacting employees to help them mitigate an ongoing spam attack.

Threat actors flood an employee’s inbox with emails, then impersonate IT support on Microsoft Teams to offer “help” with the spam issue.

“Their previous approach involved overwhelming users with email spam, prompting them to create a legitimate help-desk ticket to resolve the issue. The attacker would then contact the end user, posing as the help desk, to respond to the ticket.” reads the report published by ReliaQuest. “In more recent incidents, attackers have advanced their tactics by using Microsoft Teams chat messages to communicate with targeted users and incorporating malicious QR codes to facilitate initial access.”

The threat actors attempt to trick users into downloading remote monitoring and management (RMM) tools like AnyDesk, and once gained initial access to the targeted environment to deploy ransomware.

The researchers pointed out that the volume of the message sent to the potential victims is very high; in one instance they observed approximately 1,000 emails sent to a single user within just 50 minutes.

The attackers added the targeted users to Microsoft Teams chats with external users. These external users operated from Entra ID tenants they created using a naming convention to pose as support, admin, or help-desk staff.

Below are some of the tenants used by attackers:

  • cybersecurityadmin.onmicrosoft[.]com
  • securityadminhelper.onmicrosoft[.]com
  • supportserviceadmin.onmicrosoft[.]com
  • supportadministrator.onmicrosoft[.]com

“These external users set their profiles to a “DisplayName” designed to make the targeted user think they were communicating with a help-desk account.” continues the report. “In almost all instances we’ve observed, the display name included the string “Help Desk,” often surrounded by whitespace characters, which is likely to center the name within the chat. We also observed that, typically, targeted users were added to a “OneOnOne” chat.”

Threat actors also sent QR codes in the chats as part of Quishing attempts.

The experts highly confidently attributed the attack to Black Basta based on commonalities in domain creation and Cobalt Strike configurations.

The experts observed that the operations of the external users generally originated from Russia, with the Moscow time zone.

After gaining access, attackers deploy malicious files, including proxy malware and Cobalt Strike, to deepen network infiltration. Experts advise restricting external Microsoft Teams communications and logging suspicious chat activities for improved security.

“This campaign is still evolving, with Black Basta demonstrating their ability to rapidly adapt their TTPs, likely to thwart defenders and buy themselves more time in networks to further their attacks.” concludes the report. “While their initial access methods have changed, their post-exploitation activities are likely to remain consistent with previously observed patterns, which are covered by existing security tools and detections rules.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft Teams)


facebook linkedin twitter

Black Basta ransomware Cybercrime Hacking hacking news information security news IT Information Security malware Microsoft Teams Pierluigi Paganini Security Affairs Security News

you might also like

Pierluigi Paganini July 15, 2025
Android Malware Konfety evolves with ZIP manipulation and dynamic loading
Read more
Pierluigi Paganini July 15, 2025
Belk hit by May cyberattack: DragonForce stole 150GB of data
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Android Malware Konfety evolves with ZIP manipulation and dynamic loading

    Malware / July 15, 2025

    Belk hit by May cyberattack: DragonForce stole 150GB of data

    Data Breach / July 15, 2025

    North Korea-linked actors spread XORIndex malware via 67 malicious npm packages

    Hacking / July 15, 2025

    FBI seized multiple piracy sites distributing pirated video games

    Cyber Crime / July 15, 2025

    An attacker using a $500 radio setup could potentially trigger train brake failures or derailments from a distance

    Hacking / July 15, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT