The Black Basta ransomware group has escalated its cyberattacks by using Microsoft Teams to impersonate IT personnel. The tactic tricks employees into installing remote access tools, bypassing traditional security measures and causing significant financial losses across multiple industries.
Black Basta, a notorious ransomware group, has started using Microsoft Teams as a tool for social engineering. This shift, which was first observed in October 2024, marks a significant change in their approach to targeting organizations. The group, which has been active since April 2022, is leveraging Teams to bypass traditional security measures, putting hundreds of organizations across finance, technology, and government contracting sectors at risk.
ReliaQuest, a leading threat research firm, has confirmed the widespread nature of these attacks, reporting that damages have exceeded $15 million across affected industries.
The new strategy employed by Black Basta begins with an overwhelming flood of spam emails, designed to overload users' inboxes and create a sense of urgency. Once this initial wave of emails succeeds in luring victims into a false sense of security, the attackers shift to a more sophisticated method—posing as IT help desk personnel through Microsoft Teams chats. This impersonation tactic is particularly effective because employees often trust messages received through the collaboration platform without verifying the sender's identity.
Cybersecurity analysts at OP Innovate uncovered this development. The attackers then convince users to install remote access tools such as Quick Assist or AnyDesk, allowing them to gain entry into the victim's system. From there, Black Basta deploys malware to maintain persistent access and infiltrate the organization’s network, enabling further attacks and lateral movement.
Social engineering is a manipulation technique where cybercriminals deceive individuals into divulging confidential information, performing actions, or granting access to systems or networks. Unlike traditional hacking, which often involves exploiting technical vulnerabilities, social engineering relies on exploiting human psychology and trust. Attackers use tactics like phishing, pretexting, and impersonation to trick victims into revealing sensitive data, clicking on malicious links, or installing harmful software. By manipulating emotions like urgency, fear, or curiosity, social engineering attacks exploit the natural human tendency to trust, often bypassing security measures and leading to significant breaches of personal or organizational security.
The shift in Black Basta's tactics is particularly concerning because it introduces a new vulnerability vector that organizations may not be prepared for. The use of Microsoft Teams for social engineering undermines conventional security practices, such as email filtering and multi-factor authentication (MFA), which many businesses rely on to defend against cyberattacks. By exploiting trusted platforms, Black Basta can bypass traditional defenses and cause significant disruption.
See also: HIPAA Compliant Email: The Definitive Guide
Common types of social engineering attacks include:
Look for red flags such as:
Cybersecurity prevents social engineering by implementing technical defenses like email filters, MFA, and regular security updates, as well as fostering a culture of awareness and vigilance among users to recognize and report suspicious activity.