Black Basta ransomware poses as IT support on Microsoft Teams to breach networks
The BlackBasta ransomware operation has moved its social engineering attacks to Microsoft Teams, posing as corporate help desks contacting employees to assist them with an ongoing spam attack.
Black Basta is a ransomware operation active since April 2022 and responsible for hundreds of attacks against corporations worldwide.
After the Conti cybercrime syndicate shut down in June 2022 following a series of embarrassing data breaches, the operation split into multiple groups, with one of these factions believed to be Black Basta.
Black Basta members breach networks through various methods, including vulnerabilities, partnering wish malware botnets, and social engineering.
In May, Rapid7 and ReliaQuest released advisories on a new Black Basta social engineering campaign that flooded targeted employees' inboxes with thousands of emails. These emails were not malicious in nature, mostly consisting of newsletters, sign-up confirmations, and email verifications, but they quickly overwhelmed a user's inbox.
The threat actors would then call the overwhelmed employee, posing as their company's IT help desk to help them with their spam problems.
During this voice social engineering attack, the attackers trick the person into installing the AnyDesk remote support tool or providing remote access to their Windows devices by launching the Windows Quick Assist remote control and screen-sharing tool.
From there, the attackers would run a script that installs various payloads, such as ScreenConnect, NetSupport Manager, and Cobalt Strike, which provide continued remote access to the user's corporate device.
Now that the Black Basta affiliate has gained access to the corporate network, they would spread laterally to other devices while elevating privileges, stealing data, and ultimately deploying the ransomware encryptor.
Moving to Microsoft Teams
In a new report by ReliaQuest, researchers observed Black Basta affiliates evolving their tactics in October by now utilizing Microsoft Teams.
Like the previous attack, the threat actors first overwhelm an employee's inbox with email.
However, instead of calling them, the attackers now contact employees through Microsoft Teams as external users, where they impersonate corporate IT help desk contacting the employee to assist them with their spam problem.
The accounts are created under Entra ID tenants that are named to appear to be help desk, like:
securityadminhelper.onmicrosoft[.]com
supportserviceadmin.onmicrosoft[.]com
supportadministrator.onmicrosoft[.]com
cybersecurityadmin.onmicrosoft[.]com"These external users set their profiles to a "DisplayName" designed to make the targeted user think they were communicating with a help-desk account," explains the new ReliaQuest report.
"In almost all instances we've observed, the display name included the string "Help Desk," often surrounded by whitespace characters, which is likely to center the name within the chat. We also observed that, typically, targeted users were added to a "OneOnOne" chat."
ReliaQuest says they have also seen the threat actors sending QR codes in the chats, which lead to domains like qr-s1[.]com. However, they could not determine what these QR codes are used for.
The researchers say that the external Microsoft Teams users originate from Russia, with the time zone data regularly being from Moscow.
The goal is to once again trick the target into installing AnyDesk or launching Quick Assist so the threat actors can gain remote access to their devices.
Once connected, the threat actors were seen installing payloads named "AntispamAccount.exe," "AntispamUpdate.exe," and "AntispamConnectUS.exe."
Other researchers have flagged AntispamConnectUS.exe on VirusTotal as SystemBC, a proxy malware that Black Basta used in the past.
Ultimately, Cobalt Strike is installed, providing full access to the compromised device to act as a springboard to push further into the network.
ReliaQuest suggests organizations restrict communication from external users in Microsoft Teams and, if required, only allow it from trusted domains. Logging should also be enabled, especially for the ChatCreated event, to find suspicious chats.
Russia sentences REvil ransomware members to over 4 years in prison
CERT-UA Identifies Malicious RDP Files in Latest Attack on Ukrainian Entities
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
CVE-2024-49035 Microsoft Partner Center Improper Access Control Vulnerability
CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability
CVE-2025-24983 Microsoft Windows Win32k Use-After-Free Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
CVE-2024-20953 Oracle Agile Product Lifecycle Management (PLM) Deserialization Vulnerability
InformationalUsername Hash Found
InformationalModern Web Application
InformationalBase64 Disclosure in WebSocket message
MediumBuffer Overflow
InformationalInformation Disclosure - Suspicious Comments
Free online web security scanner
