ReliaQuest experts have discovered a broader trend: a campaign using escalated social engineering tactics in Microsoft Teams, originally associated with the Black Basta ransomware group.
The previous approach was to bombard users with email spam and convince them to create a legitimate help desk ticket to resolve the issue. The attacker would then contact the end user or employee, posing as the help desk, to respond to the ticket.
Teams attacks via QR codes
In more recent incidents, attackers have refined their tactics by using Microsoft Teams chat messages to communicate with targeted users and embedding malicious QR codes to facilitate initial access. The nasty social engineering techniques are designed to trick users into downloading remote monitoring and management (RMM) tools, which the attackers can then use to gain access to the targeted environment. Ransomware is then likely to land on the system.
This rapidly escalating campaign poses a significant threat to organizations. The threat group is targeting many different industries and geographies with alarming intensity. The sheer volume of activity is also unique; in one incident, we observed approximately 50 emails bombarding a single user in just 1.000 minutes. Due to similarities in domain creation and Cobalt Strike configurations, it is highly likely that Black Basta is behind this activity.
Attackers are still variable
During incidents in late October 2024, ReliaQuest experts observed several changes in Black Basta's tactics, techniques, and procedures (TTPs):
- Following mass email spam events, the targeted users were added to Microsoft Teams chats with external users. These external users operated from Entra ID tenants they had created to impersonate support, administrator, or help desk staff.
- In recent incidents, threat actors were observed tricking targeted users into using QuickAssist rather than just AnyDesk for “support” sessions. Additionally, in these chats, targeted users were sent QR codes posing as legitimate corporate QR code images.
About ReliaQuest
ReliaQuest is here to make security possible. It enables security teams to detect, contain, and respond to threats in minutes - anytime, anywhere. Our GreyMatter platform enables enterprise security teams to leverage their current or future technology stack to achieve greater visibility and automation without the need to centralize data or standardize tools.