The Black Basta ransomware group attacks organizations using Microsoft Teams support accounts

The Black Basta ransomware group now employs a new social engineering tactic to compromise Microsoft Teams accounts with email spam and Teams messages containing malicious QR codes. Security expert ReliaQuest discovered the new cyberattack strategies, which the company detailed in its new blog post.

This is a departure from Black Basta’s previous tactics, which primarily involved gaining initial access to a victim’s network via exposed remote management tools and then deploying Cobalt Strike beacons used for lateral movement and data exfiltration.

In October 2024, ReliaQuest responded to an alert for Impacket activity, a set of tools for manipulating Windows Active Directory authentication protocols. During the investigation, the company discovered a broader trend: a campaign of escalated social engineering tactics associated initially with Black Basta. As part of a wide-ranging email spam campaign, the attackers are also sending Microsoft Teams messages to targeted users.

The underlying motivation is likely to lay the groundwork for follow-up social engineering techniques, convince users to download remote monitoring and management (RMM) tools, and gain initial access to the targeted environment. Ultimately, the attackers’ end goal in these incidents is almost certainly the deployment of ransomware.

ReliaQuest says Black Basta’s ransomware campaign poses a “significant threat” to organizations using Microsoft Teams. According to the company, the attackers are targeting many of ReliaQuest’s customers across diverse sectors and geographies with “alarming intensity. ” In one incident, ReliaQuest observed approximately 1,000 emails bombarding a single user within 50 minutes.

The company agrees that the sheer volume of activity is uniquely high, and the company attributes the incidents to Black Basta with “high confidence” due to commonalities in domain creation and Cobalt Strike configurations.

In July, after the Kaseya attack that affected hundreds of companies, Black Basta announced that it would move away from supply chain-based attacks and instead focus on exploiting active vulnerabilities in on-premises solutions. While Black Basta has not launched significant new ransomware campaigns, the group has been active recently.