The ransomware group Black Basta was observed abusing Teams chat by impersonating the Help Desk, initiating a remote session, and distributing malware.
The attackers entice the user to grant access via RMM tools, either native (Quick Assist) or third-party, such as AnyConnect.
Using remote access, the attacker may distribute malware, disable security measures, steal sensitive information, and expand his foothold.
Typically, the Black Basta group used social engineering, malware botnets, and phishing attacks to gain access to corporate networks.
In late October 2024, they shifted their strategy to using Microsoft Teams to breach organizations.
Abusing Teams Chat to Drop Malware
According to an NVISO Labs report, the attacker creates a new M365 tenant to look like a trustworthy organization.
The attacker floods the user’s mailbox with spam emails that are benign, such as newsletter subscriptions.
Posing as Help Desk or IT support staff, the attacker starts a Teams chat with the user, usually OneOnOne) and offers to help with the spam email issue.
The attacker then persuades the victim to grant access using RMM tools, initiate remote access to spread malware, disable security measures, and collect sensitive data.
Notably, ReliaQuest spotted Black Basta affiliates enhancing their techniques in October, including Microsoft Teams and malicious QR codes in the chats.
To defend against this particular threat, users can stop phishing chat messages by disabling Teams communication with other users.
If it is not possible in your environment, you can specify which domains can communicate with your company.
Additionally, establishing anti-spam regulations in place will stop spam emails from flooding the user’s inbox.
Lastly, since Teams logging—more especially, the “ChatCreated” event—will be utilized for detection and investigation, make sure it is enabled.
Also Read: