Cybersecurity firm ReliaQuest uncovered a disturbing new trend in ransomware attacks involving the notorious Black Basta group. Known for its relentless social engineering tactics, Black Basta has shifted from traditional email spam to using Microsoft Teams chats and malicious QR codes, enhancing its methods to infiltrate and compromise organizations.
ReliaQuest's investigation revealed that after spamming users with an overwhelming volume of emails, attackers added targets to Microsoft Teams chats, posing as legitimate help-desk personnel. These external accounts, operating from Entra ID tenants with misleading names like "Help Desk," used display names designed to deceive users into thinking they were communicating with real IT support staff. Once trust was established, attackers sent QR codes, purportedly to assist with resolving the fake issue, aiming to trick users into downloading malicious software.
In one instance, a user received approximately 1,000 emails in under an hour before the attacker followed up through Microsoft Teams, ultimately persuading the user to install AnyDesk, a remote monitoring tool. This allowed Black Basta to deploy malicious files disguised as anti-spam programs, gaining unauthorized access to the network and deploying tools like Cobalt Strike for further exploitation.
"Any organization using Microsoft Teams should educate their employees about these types of scams," commented Roger Grimes, data-driven defense evangelist at KnowBe4. "That applies to any mass communication media that the company uses. Education is key. Conducting simulated phishing tests that try these types of tactics is key. And if users fail these tests, they should receive more education and simulated phishing until they are not failing those simulated tests."
This campaign is part of a broader trend. Grimes noted that "Microsoft reported in last week's Microsoft Digital Defense 2024 report that malicious QR codes are now involved in 20% of phishing emails. If you are not training your users about malicious QR codes, you're doing them and your organization a disservice."
ReliaQuest also identified a growing use of malicious domains tailored to specific organizations, further complicating the phishing attacks. The attackers create subdomains mimicking their targets, such as “companyname.qr-s1[.]com,” to make phishing attempts appear more credible.
These developments are part of a larger evolution in ransomware attacks, demonstrating how threat actors like Black Basta are rapidly adapting their tactics to stay ahead of defenders. While the use of Microsoft Teams and QR codes represents a novel approach, the attackers' goals remain consistent: gain access to networks, deploy ransomware, and profit from compromised systems.
To counter these evolving threats, ReliaQuest advises organizations to monitor external communication on platforms like Microsoft Teams, block malicious domains, and regularly train employees on identifying phishing attempts. Additionally, implementing strong anti-spam policies and multi-factor authentication can prevent initial access. By combining vigilance, education, and layered security measures, organizations can strengthen their defenses against these increasingly sophisticated attacks.