Cybersecurity experts from ReliaQuest have disclosed a new method from ransomware group Black Basta, which now uses Microsoft Teams as a phishing entry point for launching ransomware. The attackers impersonate IT support staff, tricking employees into installing remote control tools that facilitate ransomware deployment. Black Basta’s new tactic involves manipulating external accounts on Teams to gain network access, echoing an expanding trend of QR code phishing scams across Microsoft platforms, including Sway.
Microsoft Teams: Black Basta’s New Ransomware Gateway
This shift to Microsoft Teams is a notable evolution from Black Basta’s earlier methods, which often relied on large spam email attacks to overload inboxes and force employees to seek help. Now, attackers create external accounts on Microsoft’s Entra ID, a cloud-based identity and access management (IAM), system to pose as help desk staff.
Using Microsoft Teams as a phishing platform, Black Basta’s campaigns attempt to gain network access by convincing employees to install remote assistance tools. Teams chats often include QR codes linking users to fake Microsoft domains, giving attackers access when scanned.
They use tenant names like “securityadminhelper.onmicrosoft” and “supportserviceadmin.onmicrosoft,” appearing legitimate in Microsoft Teams chats. Display names like “Help Desk,” centered with extra spaces, add to the illusion of authenticity. ReliaQuest observed Moscow-based time zone data on many of these accounts, reinforcing the likelihood of Russian origins.
Once employees grant access, Black Basta installs files with names like “AntispamUpdate.exe” and “AntispamConnectUS.exe,” which provide the means to spread ransomware. Cobalt Strike, a commonly misused security tool, helps attackers move laterally within the network once access is gained.
These new tactics demonstrate the risks companies face with collaboration tools like Microsoft Teams, which allow communication from external accounts. ReliaQuest suggests tightening external communication settings and enhancing Teams logging capabilities, particularly for tracking chat events initiated by outside users. The group’s approach illustrates how phishing methods are adapting to target widely-used productivity tools, exploiting both familiarity and convenience.
Microsoft Sway and the Rise of QR Code Phishing Attacks
This isn’t the first instance of QR code phishing targeting Microsoft services. In August, Netskope Threat Labs reported a 2,000% surge in phishing using Microsoft Sway, an interactive presentation tool in Microsoft 365. Cybercriminals embedded QR codes in phishing emails, bypassing text-based email scanners and leading users to credential-stealing sites. When users scan these codes, typically on mobile devices with less security than computers, they’re directed to cloned Microsoft 365 login screens designed to harvest login details.
The domains associated with QR code phishing often mimic legitimate company URLs, using formats like companyname.qr-s1[.]com, making it harder for users to detect fraud. Netskope’s report emphasizes that embedding links within QR codes exploits a security gap in many scanners, allowing malicious links to slip through email defenses.
AI-Enhanced Phishing Threatens Cybersecurity Defenses
In October, Microsoft’s Digital Defense Report highlighted an alarming growth in AI-driven phishing attacks, now reaching over 600 million incidents daily. These attacks, powered by AI tools capable of automating phishing and infiltration, have made cyber operations faster and more convincing. By generating realistic phishing emails that replicate authentic communications, AI allows attackers to bypass multi-factor authentication and other standard security layers.
Microsoft revealed that AI-backed phishing is particularly effective in campaigns by nation-state actors. Russian hackers, for instance, use AI to launch sophisticated malware targeting Ukrainian infrastructure, while North Korea has deployed AI-powered ransomware in the aerospace sector. Iran’s cyber influence tactics have shifted toward financial extortion and espionage, with cyber operations against the Gulf states and Israel marking an intensified campaign of disruption.
Microsoft’s Honeypot Strategy and Persistent Anti-Phishing Vulnerabilities
To counter these escalating threats, Microsoft has implemented honeypots on Azure to divert attackers into decoy environments. This strategy places attackers within fake accounts that mimic corporate setups, allowing Microsoft to monitor and study evolving tactics. These honeypots serve as both a distraction and a data-gathering method, slowing hackers down and revealing the inner workings of their phishing methods.
Despite this strategy, weaknesses in Microsoft’s defenses remain. In August, a vulnerability was found in Microsoft 365’s anti-phishing tool, allowing hackers to disable the ‘First Contact Safety Tip’ alert meant to warn users of unfamiliar senders. By manipulating email HTML, attackers can bypass security alerts, effectively disguising phishing messages as legitimate communications. Microsoft has acknowledged the flaw, though a fix is yet to be prioritized, leaving this gap exploitable for phishing attacks.
In response to growing phishing challenges, Microsoft’s last Digital Defense Report stresses the importance of public-private partnerships. Initiatives like the Secure Future Initiative have been established to share intelligence and resources among governments and corporations, bolstering defenses against complex cyber threats. As AI amplifies the scope and precision of phishing tactics, robust security measures and employee training programs remain essential to keep pace with evolving attack methods.