Hackers have been posing as IT support on Microsoft Teams

Security researchers have warned about an ongoing threat campaign where hackers are posing as IT support technicians to trick unsuspecting users.

A new report from Reliaquest detailed how after responding to a security alert it discovered a “campaign of escalated social engineering tactics originally associated with the ransomware group ‘Black Basta’.”

The report outlined a shift in tactics in late October 2024 from mass spam email events to using Microsoft Teams messages. Reliaquest noted the scale of the initial email campaign, stating that in one incident alone it observed approximately 1,000 emails sent within the space of just 50 minutes targeting a single user.

Due to patterns in the domain creation and Cobalt Strike configurations used in the attacks, the report attributed the campaign to Black Basta with high confidence.

Following the mass email spam events, targets were then added to Microsoft Teams Chats with external users, who operated from Entra ID tenants created to mask themselves as IT support, admin, or help desk professionals.

Reliaquest found the threat actors generally originated from Russia, with the time data logged by Teams reflecting they were located in the Moscow time zone.

The attackers’ intent was to convince users to download the remote monitoring and management (RMM) tool, AnyDesk, which would give them initial access to the target environment with the ultimate aim of deploying ransomware.

Similarly, the report noted it had identified several listings on the dark web advertising their email spam services, which were found available for anywhere from $10 – $500.

Black Basta observed rapidly evolving their TTPs

Reliaquest added that when analyzing recent incidents, it observed the threat actors adapting their TTPs, using Microsoft QuickAssist instead of AnyDesk to take control of the user’s machine.

Additionally, the group were observed using QR codes to phish the victims when they were communicating over Teams. The malicious domains linked to the QR codes were often generic but the report noted some were tailored to match the targeted organization, such as ‘companyname.qr–s1[.]com’.

Tracking these domains, researchers estimate that the threat actor started using or was planning on using the qishing technique since early October.

To mitigate against tactics involving Microsoft Teams and ‘qishing’, the report recommended organizations disable communication from external users within Teams.

In cases where communication with external users is required, businesses can whitelist specific trusted domains.

As previously noted, the attacker typically set their names to ‘help desk’, which is often surrounded by whitespace characters, which the report stated is likely to center the name within chats. This means when searching for these accounts organizations should search for ‘contains’ rather than a direct match to identify potentially malicious actors.

Organizations should also ensure that logging is enabled for their employees' Team chats, particularly the ChatCreated event, which can help and investigate potentially malicious activities.

Reliaquest added that while the campaign is still evolving, and Black Basta has demonstrated its ability to rapidly adapt their TTPs, the group’s post-exploitation activities remain largely similar, relying on the deployment of Cobalt Strike Beacons and Impacket abuse.

As such, existing security tools and detection rules should be able to pick up this activity. Reliaquest urged organizations to ensure employees remain vigilant against current social engineering tactics by focusing training and awareness programs that highlight the latest threats and techniques.