Black Basta Ransomware group targets Microsoft Teams for attacks

The Black Basta ransomware group has escalated its cyberattacks by using Microsoft Teams to impersonate IT personnel. The tactic tricks employees into installing remote access tools, bypassing traditional security measures and causing significant financial losses across multiple industries.

What happened

Black Basta, a notorious ransomware group, has started using Microsoft Teams as a tool for social engineering. This shift, which was first observed in October 2024, marks a significant change in their approach to targeting organizations. The group, which has been active since April 2022, is leveraging Teams to bypass traditional security measures, putting hundreds of organizations across finance, technology, and government contracting sectors at risk.

ReliaQuest, a leading threat research firm, has confirmed the widespread nature of these attacks, reporting that damages have exceeded $15 million across affected industries. 

Going deeper

The new strategy employed by Black Basta begins with an overwhelming flood of spam emails, designed to overload users' inboxes and create a sense of urgency. Once this initial wave of emails succeeds in luring victims into a false sense of security, the attackers shift to a more sophisticated method—posing as IT help desk personnel through Microsoft Teams chats. This impersonation tactic is particularly effective because employees often trust messages received through the collaboration platform without verifying the sender's identity.

Cybersecurity analysts at OP Innovate uncovered this development. The attackers then convince users to install remote access tools such as Quick Assist or AnyDesk, allowing them to gain entry into the victim's system. From there, Black Basta deploys malware to maintain persistent access and infiltrate the organization’s network, enabling further attacks and lateral movement.

In the know

Social engineering is a manipulation technique where cybercriminals deceive individuals into divulging confidential information, performing actions, or granting access to systems or networks. Unlike traditional hacking, which often involves exploiting technical vulnerabilities, social engineering relies on exploiting human psychology and trust. Attackers use tactics like phishing, pretexting, and impersonation to trick victims into revealing sensitive data, clicking on malicious links, or installing harmful software. By manipulating emotions like urgency, fear, or curiosity, social engineering attacks exploit the natural human tendency to trust, often bypassing security measures and leading to significant breaches of personal or organizational security.

Why it matters 

The shift in Black Basta's tactics is particularly concerning because it introduces a new vulnerability vector that organizations may not be prepared for. The use of Microsoft Teams for social engineering undermines conventional security practices, such as email filtering and multi-factor authentication (MFA), which many businesses rely on to defend against cyberattacks. By exploiting trusted platforms, Black Basta can bypass traditional defenses and cause significant disruption.

See also: HIPAA Compliant Email: The Definitive Guide

FAQs

What are some common types of social engineering attacks?

Common types of social engineering attacks include:

• Phishing: Fake emails or messages that appear to come from a trusted source, designed to steal login credentials or install malware.
• Pretexting: The attacker creates a fabricated scenario to obtain information, like posing as an authority figure.
• Baiting: Offering something enticing, such as free software, to trick the victim into downloading malware.
• Spear phishing: A targeted phishing attack that is highly personalized to the victim.
• Vishing (Voice phishing): Using phone calls to impersonate trusted figures and extract personal information.

How can I identify a social engineering attack?

Look for red flags such as:

• Suspicious or unexpected requests for sensitive information.
• Unfamiliar sender addresses or phone numbers.
• Urgent or threatening language, pushing you to act quickly.
• Unusual behavior, like someone asking for help outside their normal scope of work.

What is the role of cybersecurity in preventing social engineering?

Cybersecurity prevents social engineering by implementing technical defenses like email filters, MFA, and regular security updates, as well as fostering a culture of awareness and vigilance among users to recognize and report suspicious activity.