The Black Basta ransomware group has resurfaced with a concerning method of spreading file-encrypting malware, now targeting Microsoft Teams. The group, notorious for cyberattacks on technology, finance, and public sector industries, exploits the popular collaboration platform to infiltrate networks.
First observed in October 2024, this new tactic shows a shift from previous approaches. Active since April 2022, Black Basta initially used spam and social engineering to distribute malware. Now, they impersonate IT support staff or colleagues, tricking users into providing credentials for fake network logins, enabling the deployment of malware. This deceptive method replaces older techniques like phone-based social engineering.
Microsoft Teams is a strategic target due to its global use in corporate communication. Many employees trust messages within the platform, often overlooking verification steps. This makes them more vulnerable to attackers who exploit this trust to gain unauthorized access.
In 2023, Black Basta was connected to email phishing campaigns involving links to malicious websites. While those campaigns focused on harvesting credentials and delivering malware, the group's shift to real-time platforms like Teams indicates a significant evolution in their strategy.
Microsoft urges users to exercise caution with suspicious messages, especially those requesting sensitive information or financial transactions. "If a message in Teams appears to ask for credentials or money transfers, users are advised to verify the sender’s identity through other channels," the company recommended. Avoiding unknown links and confirming requests through phone or email are key practices to prevent such attacks.
